[Snort-users] Multiple networks and port-scanning...

Christopher Cramer cec at ...68...
Mon Jul 31 13:06:52 EDT 2000


Christian,  

Sorry for not getting back to you sooner on this.  I didn't get a chance
to hack it up until the weekend.  Using the modules, we internally map all
of the monitored subnets to the class A network 10.0.0.0 and only monitor
the one network.  Then, before we log, we make use of the output plugin
and reverse the mapping.  Voila, multiple subnets monitored as one single
network.  

Anyway, we have two modules, spp_ipswap and spo_ipunswap.  They seem to
work fairly well; except for the obvious caveat of anything coming in on
the 10.x.x.x network will be mapped to one of your subnets.

Here's an example of the preprocessor and o/p processor in action,
detecting telnet connections from the outside world.

preprocessor ipswap: w.v.x.0/24 w.v.y.0/24 w.v.z.0/24
output ipunswap: 
output alert_fast: /var/log/snort/alert
var HOME_NET 10.0.0.0/8
alert tcp !$HOME_NET any -> $HOME_NET 23 (flags:S; msg: "remote telnet
   connection";)

Anyway, I've just included the module sources, so one would have to edit
plugbase.[ch] to use these, but if you can't do that then you probably
shouldn't be playing w/ the modules in the first place :-)  Let me know if
there are questions.

Enjoy,
Chris

p.s. This is my first o/p plugin if anyone see something obviously dumb,
let me know, although they do work for me :-)

p.p.s. When Marty gets back from Defcon and I get in touch w/ him, I've
got an even better surprise.

----------------------------------------------------------------------
Dr. Christopher E. Cramer
Associate in Research
Duke University, Department of Electrical and Computer Engineering
114 Hudson Hall, Box 90291, Durham, NC  27708-0291
PH:  919-660-5248     FAX:  919-660-5293     email:  cec at ...68...


On Wed, 26 Jul 2000, Christian Hammers wrote:

> On Wed, Jul 26, 2000 at 12:09:13PM -0400, Christopher Cramer wrote:
> > Clever!  But any thoughts on how you would know which machine was under
> > attack?
> Surely, just renumber them, making 
>  212.110.123.0/24 -> 10.1.0.0/24 and
>  194.66.25.0/19   -> 10.2.0.0/19 etc.
> and match for 10.0.0.0/8.
> 
> If you actually write such a renumber preprocessor, please post it to 
> the list!
> 
> > -Chris
> bye,
> 
>  -christian-
> 
> -- 
> Christian Hammers    WESTEND GmbH - Aachen und Dueren     Tel 0241/701333-0
> ch at ...139...     Internet & Security for Professionals    Fax 0241/911879
>            WESTEND ist CISCO Systems Partner - Premium Certified
> 





More information about the Snort-users mailing list