[Snort-sigs] IANA reserved IP address rules?
jeff at ...95...
Wed Jun 11 19:55:09 EDT 2003
-----BEGIN PGP SIGNED MESSAGE-----
I've never done it with Snort, but I've done it at the router before.
Nice job on whipping them up pretty quickly like that, very slick using the
I'd really enjoy hearing about your results as you keep using these rules.
Chad Loder wrote up a neat patch for nmap that makes sure nmap is not using
reserved IP addresses when auto-generating source IP addresses. It'd be a
good idea for anyone writing software to check out the implementation
- --On Wednesday, June 11, 2003 16:47:59 -0400 Matt Kettler
<mkettler at ...189...> wrote:
> I was just curious if anyone ever wrote up a set of rules to detect use
> of the IANA reserved IP blocks as source addresses for packets, and if
> they had, what were the results like?
> This appears to have been discussed in 2000 under the thread
> Spoofed IP source detection" but there was mostly debate over which
> blocks to include etc, and no discussion of results..
> I'm asking because I recently wrote up a batch of rules to cover most of
> them based http://www.iana.org/assignments/ipv4-address-space. So far it
> seems to be not making undue noise, well, after I fixed a typo.. The
> rules I'm trying out are in the general format:
> alert ip 0.0.0.0/8 any -> any any (msg:"LOCAL IANA Reserved IP used as
> source address"; sid:1000100; rev:1; classtype:bad-unknown;)
> My theory is to try to detect packets with spoofed source IPs from tools
> that are foolish enough to pick IPs purely at random.
> Comments, suggestions, theories, conspiracy theories?
> This SF.NET email is sponsored by: eBay
> Great deals on office technology -- on eBay now! Click here:
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
http://cerberus.sourcefire.com/~jeff (pgp key available)
"Great spirits have always encountered violent opposition from mediocre
- - Albert Einstein
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (OpenBSD)
-----END PGP SIGNATURE-----
More information about the Snort-sigs