[Snort-sigs] IANA reserved IP address rules?

Matt Kettler mkettler at ...189...
Wed Jun 11 13:50:09 EDT 2003


I was just curious if anyone ever wrote up a set of rules to detect use of 
the IANA reserved IP blocks as source addresses for packets, and if they 
had, what were the results like?

This appears to have been discussed in 2000 under the thread 
"<http://archives.neohapsis.com/archives/snort/2000-03/0434.html>[snort] 
Spoofed IP source detection" but there was mostly debate over which blocks 
to include etc, and no discussion of results..

I'm asking because I recently wrote up a batch of rules to cover most of 
them based http://www.iana.org/assignments/ipv4-address-space. So far it 
seems to be not making undue noise, well, after I fixed a typo..
The rules I'm trying out are in the general format:

alert ip 0.0.0.0/8 any -> any any (msg:"LOCAL IANA Reserved IP used as 
source address"; sid:1000100; rev:1; classtype:bad-unknown;)

My theory is to try to detect packets with spoofed source IPs from tools 
that are foolish enough to pick IPs purely at random.

Comments, suggestions, theories, conspiracy theories?









More information about the Snort-sigs mailing list