[Snort-sigs] RESERVED IP and Broadcast address

Michael Scheidell scheidell at ...249...
Wed Aug 6 03:25:03 EDT 2003


> I am using SNORT as included in IPCop 1.3, and noticed some broadcast address packets arriving from the internet 
> 
> udp
> from: 10.123.192.1:67
> to: 255.255.255.255:68
> 
> This appears to be a broadcast from 10.x.x.x (a reserved address) looking for a BOOTP host !
> 
> I am a newcomer at Snort, so would appreciate some feedback/assistance:
> 
> Does anyone have a good set of rules for alerting/stopping [unwanted] broadcasts from a RED interface which don't make any sense?  Bearing in mind that I need to retain DHCP ip address acquisition.

See the RFC's for ISP's.  one of the things it talks about is acl's on
your boarder router for rfc 1918 (private) ip addresses.

I think there is a link on www.secnap.com  click on free downloads.
find the link for the rfc's for isp's.

Also, I think a google for 'cisco+rfc1918' should find some suggestions as
well.
> 
> Does anyone have a set of SNORT rules to alerting/stopping illegal/reserved IP addresses at a RED interface?
you should block them at boarder router.  alerting does what?  you can't
track them, can't trace them, not without the isp, and it is obvious that
the isp isn't following the rfc for isp's or they would have blocked
private ip address themselves.
-- 
Michael Scheidell,
SECNAP Network Security, LLC 
Sales: 866-SECNAPNET / (1-866-732-6276)
Main: 561-368-9561 / www.secnap.net




More information about the Snort-sigs mailing list