[Snort-sigs] Addition to bad-traffic.rules

Joshua Wright Joshua.Wright at ...196...
Sun Nov 18 14:42:02 EST 2001


Has anyone considered adding the lists of bogon netblocks to the
bad-traffic.rules list?  For example, 1/8 (1.0.0.0/255.0.0.0), 2/8, 5/8,
7/8, 10/8, etc? (i.e. those not allocated by ARIN, APNIC, etc).

alert ip any any <> 1.0.0.0/8 any (msg:"BAD TRAFFIC from unused netblock
detected"; classtype:bad-unknown; sid:???; rev:1;)

Rob Thomas maintains a list of these addresses in his "Securing IOS"
template for Cisco routers at
http://www.cymru.com/~robt/Docs/Articles/secure-ios-template.html.

These would be fast rules without any datagram content checking, and IMHO,
not be prone to false-positives.  This would help to identify crafted
packets quickly (such as those use by rand/255 SYN flood attacks).  On the
other hand, a SYN flood would create a frenzy of these alerts. :(

Thoughts?

-Joshua Wright, GCIH
Joshua.Wright at ...196...




More information about the Snort-sigs mailing list