[Snort-sigs] IANA reserved IP address rules?
mkettler at ...189...
Wed Jun 11 13:50:09 EDT 2003
I was just curious if anyone ever wrote up a set of rules to detect use of
the IANA reserved IP blocks as source addresses for packets, and if they
had, what were the results like?
This appears to have been discussed in 2000 under the thread
Spoofed IP source detection" but there was mostly debate over which blocks
to include etc, and no discussion of results..
I'm asking because I recently wrote up a batch of rules to cover most of
them based http://www.iana.org/assignments/ipv4-address-space. So far it
seems to be not making undue noise, well, after I fixed a typo..
The rules I'm trying out are in the general format:
alert ip 0.0.0.0/8 any -> any any (msg:"LOCAL IANA Reserved IP used as
source address"; sid:1000100; rev:1; classtype:bad-unknown;)
My theory is to try to detect packets with spoofed source IPs from tools
that are foolish enough to pick IPs purely at random.
Comments, suggestions, theories, conspiracy theories?
More information about the Snort-sigs