[Snort-sigs] IANA reserved IP address rules?

Doug Cress cress1 at ...518...
Mon Jun 16 12:48:10 EDT 2003


I've had some experience with this working for tools that pick random IP's. 
A couple of times I've been able to follow the rabbit trail to something 
nasty that was hiding under the radar because I saw a reserved IP that was 
doing something weird. Then I wrote a sig to hunt down the weirdness and 
found all kinds of other stuff.

One caviot though, if you're on a pretty big pipe you're going to see all 
kinds of reserved address use alarms, and picking out the ones that are 
worth chasing to ground is not easy. I've wasted a lot of time doing this.

--doug ><>

On Mon, 16 Jun 2003 10:20:19 -0700, Harper, John T. <JTHarper at ...1609...> 
wrote:

> My 2 cents...
>
> Since private addresses aren't supposed to be forwarded on the Internet, 
> why
> are these tools necessary?
>
> Your ISP's router(s) reverse DNS feature should drop a packet that has a
> private address as the source.
>
> John Harper
>
> -----Original Message-----
> From: Matt Kettler [mailto:mkettler at ...189...]
> Sent: Wednesday, June 11, 2003 1:48 PM
> To: Snort-sigs at lists.sourceforge.net
> Subject: [Snort-sigs] IANA reserved IP address rules?
>
>
> I was just curious if anyone ever wrote up a set of rules to detect use 
> of the IANA reserved IP blocks as source addresses for packets, and if 
> they had, what were the results like?
>
> This appears to have been discussed in 2000 under the thread 
> "<http://archives.neohapsis.com/archives/snort/2000-03/0434.html>[snort] 
> Spoofed IP source detection" but there was mostly debate over which 
> blocks to include etc, and no discussion of results..
>
> I'm asking because I recently wrote up a batch of rules to cover most of 
> them based http://www.iana.org/assignments/ipv4-address-space. So far it 
> seems to be not making undue noise, well, after I fixed a typo..
> The rules I'm trying out are in the general format:
>
> alert ip 0.0.0.0/8 any -> any any (msg:"LOCAL IANA Reserved IP used as 
> source address"; sid:1000100; rev:1; classtype:bad-unknown;)
>
> My theory is to try to detect packets with spoofed source IPs from tools 
> that are foolish enough to pick IPs purely at random.
>
> Comments, suggestions, theories, conspiracy theories?
>
>
>
>
>
>
>
> -------------------------------------------------------
> This SF.NET email is sponsored by: eBay
> Great deals on office technology -- on eBay now! Click here:
> http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
>
> -------------------------------------------------------
> This SF.NET email is sponsored by: eBay
> Great deals on office technology -- on eBay now! Click here:
> http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>







More information about the Snort-sigs mailing list