[Snort-sigs] IANA reserved IP address rules?

Joshua Wright Joshua.Wright at ...196...
Thu Jun 12 04:43:05 EDT 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Just a note to anyone wanting to generate rules to identify traffic
sourced from unallocated netblocks - Rob Thomas maintains a list of
IANA-unallocated "bogons" at
http://www.cymru.com/Documents/bogon-list.html.  He also provides a
CIDR consolidated list of the netblocks, which would reduce the
number of rules to identify this type of traffic from 78 to 35
(http://www.cymru.com/Documents/bogon-dd.html).

- -Joshua Wright
Senior Network and Security Architect
Johnson & Wales University
Joshua.Wright at ...196... 
http://home.jwu.edu/jwright/

pgpkey: http://home.jwu.edu/jwright/pgpkey.htm
fingerprint: FDA5 12FC F391 3740 E0AE BDB6 8FE2 FC0A D44B 4A73


> > I was just curious if anyone ever wrote up a set of rules 
> to detect use
> > of the IANA reserved IP blocks as source addresses for 
> packets, and if
> > they had, what were the results like?
> >
> > alert ip 0.0.0.0/8 any -> any any (msg:"LOCAL IANA Reserved 
> IP used as
> > source address"; sid:1000100; rev:1; classtype:bad-unknown;)

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBPuhm/o/i/ArUS0pzEQL4mQCgvgOb3kdRiAY7GdBZ1Xqx0PBey1QAoI0I
+Eh4W4JWkO4BD7cP24eE7tqi
=biN+
-----END PGP SIGNATURE-----





More information about the Snort-sigs mailing list