[Snort-sigs] IANA reserved IP address rules?

Jeff Nathan jeff at ...95...
Wed Jun 11 19:55:09 EDT 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I've never done it with Snort, but I've done it at the router before.

Nice job on whipping them up pretty quickly like that, very slick using the 
IANA docuement.

I'd really enjoy hearing about your results as you keep using these rules.

Chad Loder wrote up a neat patch for nmap that makes sure nmap is not using 
reserved IP addresses when auto-generating source IP addresses.  It'd be a 
good idea for anyone writing software to check out the implementation 
within nmap.

- -Jeff


- --On Wednesday, June 11, 2003 16:47:59 -0400 Matt Kettler 
<mkettler at ...189...> wrote:

> I was just curious if anyone ever wrote up a set of rules to detect use
> of the IANA reserved IP blocks as source addresses for packets, and if
> they had, what were the results like?
>
> This appears to have been discussed in 2000 under the thread
> "<http://archives.neohapsis.com/archives/snort/2000-03/0434.html>[snort]
> Spoofed IP source detection" but there was mostly debate over which
> blocks to include etc, and no discussion of results..
>
> I'm asking because I recently wrote up a batch of rules to cover most of
> them based http://www.iana.org/assignments/ipv4-address-space. So far it
> seems to be not making undue noise, well, after I fixed a typo.. The
> rules I'm trying out are in the general format:
>
> alert ip 0.0.0.0/8 any -> any any (msg:"LOCAL IANA Reserved IP used as
> source address"; sid:1000100; rev:1; classtype:bad-unknown;)
>
> My theory is to try to detect packets with spoofed source IPs from tools
> that are foolish enough to pick IPs purely at random.
>
> Comments, suggestions, theories, conspiracy theories?
>
>
>
>
>
>
>
> -------------------------------------------------------
> This SF.NET email is sponsored by: eBay
> Great deals on office technology -- on eBay now! Click here:
> http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs


- --
http://cerberus.sourcefire.com/~jeff       (pgp key available)
"Great spirits have always encountered violent opposition from mediocre
minds."
- - Albert Einstein
    
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (OpenBSD)

iD8DBQE+5+t7Eqr8+Gkj0/0RAjY4AJoC03dxIMZzDDI1JsKoVn/Wpvws1ACgkHnS
ugOQzHKynLR0HUMsoIoWoCo=
=eciB
-----END PGP SIGNATURE-----





More information about the Snort-sigs mailing list