[Snort-devel] ascii output's problems

Nicolas Delon delon.nicolas at ...1042...
Fri Sep 12 23:57:01 EDT 2003


Erek Adams wrote:
> On Sat, 13 Sep 2003, Nicolas Delon wrote:
> 
> [...snip...]
> 
> 
>>So, if someone attacks a host with a source port lower than the target
>>port, path and filename will be inverted (source ip <=> destination ip,
>>source port <=> destination port).
> 
> 
> There's something you missed.
> 
> Check back up in the code a few lines:
> 
>     /* figure out which way this packet is headed in relation to the homenet */
>     if((p->iph->ip_dst.s_addr & pv.netmask) == pv.homenet)
>     {
>         if((p->iph->ip_src.s_addr & pv.netmask) != pv.homenet)

You're right, I missed this option...

> If you use '-h 10.42.0.0/24' you don't have the problem.  From the man
> page:
> 
>      -h home-net
>           Set the "home network" to home-net. The format of  this
>           address variable is a network prefix plus a CIDR block,
>           such as 192.168.1.0/24.  Once this variable is set, all
>           decoded  packet  logging  will  be done relative to the
>           home network address space.  This is useful because  of
>           the  way  that  Snort formats its ASCII log data.  With
>           this value set to the local network, all decoded output
>           will be logged into decode directories with the address
>           of the foreign computer as the directory name, which is
>           very useful during traffic analysis.

... however, this won't change anything, because 10.42.0.1 and 10.42.0.2 
are on the same network, we will also have the problem if an attacker 
out of the homenet spoof his IP to a homenet IP and if someone *from* 
the homenet attacks internet hosts from lower port than target port.

I think that the only way to solve those problems would be keeping track 
of TCP/UDP "connections"/exchange.

-- 
"The only way to stop open source is to make it illegal." - Bruce Perens





More information about the Snort-devel mailing list