[Snort-sigs] IANA reserved IP address rules?
Harper, John T.
JTHarper at ...1609...
Mon Jun 16 10:20:11 EDT 2003
My 2 cents...
Since private addresses aren't supposed to be forwarded on the Internet, why
are these tools necessary?
Your ISP's router(s) reverse DNS feature should drop a packet that has a
private address as the source.
From: Matt Kettler [mailto:mkettler at ...189...]
Sent: Wednesday, June 11, 2003 1:48 PM
To: Snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] IANA reserved IP address rules?
I was just curious if anyone ever wrote up a set of rules to detect use of
the IANA reserved IP blocks as source addresses for packets, and if they
had, what were the results like?
This appears to have been discussed in 2000 under the thread
Spoofed IP source detection" but there was mostly debate over which blocks
to include etc, and no discussion of results..
I'm asking because I recently wrote up a batch of rules to cover most of
them based http://www.iana.org/assignments/ipv4-address-space. So far it
seems to be not making undue noise, well, after I fixed a typo..
The rules I'm trying out are in the general format:
alert ip 0.0.0.0/8 any -> any any (msg:"LOCAL IANA Reserved IP used as
source address"; sid:1000100; rev:1; classtype:bad-unknown;)
My theory is to try to detect packets with spoofed source IPs from tools
that are foolish enough to pick IPs purely at random.
Comments, suggestions, theories, conspiracy theories?
This SF.NET email is sponsored by: eBay
Great deals on office technology -- on eBay now! Click here:
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
More information about the Snort-sigs