[Snort-users] Fun with IPF and Snort

shawn . moyer shawn at ...1184...
Fri Mar 16 18:40:09 EST 2001


Cross-posting this because I thought folks on both lists might enjoy it.
:)

I'm on a cable modem network at home, so I get hit with scans there
pretty frequently, and in an effort to frustrate automated scanning
tools I have the following redirects in my ipnat.conf:

rdr ed0 0.0.0.0/0 port 53 -> X.X.X.X port 19 udp
rdr ed0 0.0.0.0/0 port 111 -> X.X.X.X port 19 udp
rdr ed0 0.0.0.0/0 port 137 -> X.X.X.X port 19 udp

rdr ed0 0.0.0.0/0 port 21 -> X.X.X.X port 19 tcp
rdr ed0 0.0.0.0/0 port 53 -> X.X.X.X port 19 tcp
rdr ed0 0.0.0.0/0 port 111 -> X.X.X.X port 19 tcp
rdr ed0 0.0.0.0/0 port 1080 -> X.X.X.X port 19 tcp
rdr ed0 0.0.0.0/0 port 27374 -> X.X.X.X port 19 tcp

I also have various Snort rules to log these attempts, just for my own
records. 

The relevant rule for Snort that fired today was:

alert tcp !$HOME_NET any <> $HOME_NET 21 (msg: "Custom - Attempted FTP
access";)

The log of this attempt is at:

https://www.cipherpunx.org/snort/172/152/36/src172.152.36.67.html

My redirects apparently slowed someone's tool down for a total of 3
minutes or so... Not much to get excited about, but if everyone did
this, scanning networks for vulnerabilities with automated tools would
be next to impossible. Cool, huh? :)

These redirects will also crash ISS Internet Scanner and Cybercop (fun
if you're expecting a security audit at work).




--shawn

-- 

s h a w n   m o y e r
shawn at ...1184...


The universe did not invent justice; man did.
Unfortunately, man must reside in the universe.

					-- Zelazny




More information about the Snort-users mailing list