[Snort-users] Multiple networks and port-scanning...

Christopher Cramer cec at ...68...
Mon Jul 31 13:06:52 EDT 2000


Sorry for not getting back to you sooner on this.  I didn't get a chance
to hack it up until the weekend.  Using the modules, we internally map all
of the monitored subnets to the class A network and only monitor
the one network.  Then, before we log, we make use of the output plugin
and reverse the mapping.  Voila, multiple subnets monitored as one single

Anyway, we have two modules, spp_ipswap and spo_ipunswap.  They seem to
work fairly well; except for the obvious caveat of anything coming in on
the 10.x.x.x network will be mapped to one of your subnets.

Here's an example of the preprocessor and o/p processor in action,
detecting telnet connections from the outside world.

preprocessor ipswap: w.v.x.0/24 w.v.y.0/24 w.v.z.0/24
output ipunswap: 
output alert_fast: /var/log/snort/alert
alert tcp !$HOME_NET any -> $HOME_NET 23 (flags:S; msg: "remote telnet

Anyway, I've just included the module sources, so one would have to edit
plugbase.[ch] to use these, but if you can't do that then you probably
shouldn't be playing w/ the modules in the first place :-)  Let me know if
there are questions.


p.s. This is my first o/p plugin if anyone see something obviously dumb,
let me know, although they do work for me :-)

p.p.s. When Marty gets back from Defcon and I get in touch w/ him, I've
got an even better surprise.

Dr. Christopher E. Cramer
Associate in Research
Duke University, Department of Electrical and Computer Engineering
114 Hudson Hall, Box 90291, Durham, NC  27708-0291
PH:  919-660-5248     FAX:  919-660-5293     email:  cec at ...68...

On Wed, 26 Jul 2000, Christian Hammers wrote:

> On Wed, Jul 26, 2000 at 12:09:13PM -0400, Christopher Cramer wrote:
> > Clever!  But any thoughts on how you would know which machine was under
> > attack?
> Surely, just renumber them, making 
> -> and
>   -> etc.
> and match for
> If you actually write such a renumber preprocessor, please post it to 
> the list!
> > -Chris
> bye,
>  -christian-
> -- 
> Christian Hammers    WESTEND GmbH - Aachen und Dueren     Tel 0241/701333-0
> ch at ...139...     Internet & Security for Professionals    Fax 0241/911879
>            WESTEND ist CISCO Systems Partner - Premium Certified

More information about the Snort-users mailing list