[Snort-sigs] IANA reserved IP address rules?

Harper, John T. JTHarper at ...1609...
Mon Jun 16 10:20:11 EDT 2003


My 2 cents...

Since private addresses aren't supposed to be forwarded on the Internet, why
are these tools necessary?

Your ISP's router(s) reverse DNS feature should drop a packet that has a
private address as the source.

John Harper

-----Original Message-----
From: Matt Kettler [mailto:mkettler at ...189...]
Sent: Wednesday, June 11, 2003 1:48 PM
To: Snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] IANA reserved IP address rules?


I was just curious if anyone ever wrote up a set of rules to detect use of 
the IANA reserved IP blocks as source addresses for packets, and if they 
had, what were the results like?

This appears to have been discussed in 2000 under the thread 
"<http://archives.neohapsis.com/archives/snort/2000-03/0434.html>[snort] 
Spoofed IP source detection" but there was mostly debate over which blocks 
to include etc, and no discussion of results..

I'm asking because I recently wrote up a batch of rules to cover most of 
them based http://www.iana.org/assignments/ipv4-address-space. So far it 
seems to be not making undue noise, well, after I fixed a typo..
The rules I'm trying out are in the general format:

alert ip 0.0.0.0/8 any -> any any (msg:"LOCAL IANA Reserved IP used as 
source address"; sid:1000100; rev:1; classtype:bad-unknown;)

My theory is to try to detect packets with spoofed source IPs from tools 
that are foolish enough to pick IPs purely at random.

Comments, suggestions, theories, conspiracy theories?







-------------------------------------------------------
This SF.NET email is sponsored by: eBay
Great deals on office technology -- on eBay now! Click here:
http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs




More information about the Snort-sigs mailing list