[Snort-sigs] Addition to bad-traffic.rules

Joshua Wright Joshua.Wright at ...196...
Sun Nov 18 14:42:02 EST 2001

Has anyone considered adding the lists of bogon netblocks to the
bad-traffic.rules list?  For example, 1/8 (, 2/8, 5/8,
7/8, 10/8, etc? (i.e. those not allocated by ARIN, APNIC, etc).

alert ip any any <> any (msg:"BAD TRAFFIC from unused netblock
detected"; classtype:bad-unknown; sid:???; rev:1;)

Rob Thomas maintains a list of these addresses in his "Securing IOS"
template for Cisco routers at

These would be fast rules without any datagram content checking, and IMHO,
not be prone to false-positives.  This would help to identify crafted
packets quickly (such as those use by rand/255 SYN flood attacks).  On the
other hand, a SYN flood would create a frenzy of these alerts. :(


-Joshua Wright, GCIH
Joshua.Wright at ...196...

More information about the Snort-sigs mailing list