[Snort-users] Fun with IPF and Snort

Martin Roesch roesch at ...421...
Sat Mar 17 02:41:46 EST 2001


Cool, nice application of traps, misdirection, and counter attack.  I
like it...  :)

    -Marty


"shawn . moyer" wrote:
> 
> Cross-posting this because I thought folks on both lists might enjoy it.
> :)
> 
> I'm on a cable modem network at home, so I get hit with scans there
> pretty frequently, and in an effort to frustrate automated scanning
> tools I have the following redirects in my ipnat.conf:
> 
> rdr ed0 0.0.0.0/0 port 53 -> X.X.X.X port 19 udp
> rdr ed0 0.0.0.0/0 port 111 -> X.X.X.X port 19 udp
> rdr ed0 0.0.0.0/0 port 137 -> X.X.X.X port 19 udp
> 
> rdr ed0 0.0.0.0/0 port 21 -> X.X.X.X port 19 tcp
> rdr ed0 0.0.0.0/0 port 53 -> X.X.X.X port 19 tcp
> rdr ed0 0.0.0.0/0 port 111 -> X.X.X.X port 19 tcp
> rdr ed0 0.0.0.0/0 port 1080 -> X.X.X.X port 19 tcp
> rdr ed0 0.0.0.0/0 port 27374 -> X.X.X.X port 19 tcp
> 
> I also have various Snort rules to log these attempts, just for my own
> records.
> 
> The relevant rule for Snort that fired today was:
> 
> alert tcp !$HOME_NET any <> $HOME_NET 21 (msg: "Custom - Attempted FTP
> access";)
> 
> The log of this attempt is at:
> 
> https://www.cipherpunx.org/snort/172/152/36/src172.152.36.67.html
> 
> My redirects apparently slowed someone's tool down for a total of 3
> minutes or so... Not much to get excited about, but if everyone did
> this, scanning networks for vulnerabilities with automated tools would
> be next to impossible. Cool, huh? :)
> 
> These redirects will also crash ISS Internet Scanner and Cybercop (fun
> if you're expecting a security audit at work).
> 
> --shawn
> 
> --
> 
> s h a w n   m o y e r
> shawn at ...1184...
> 
> The universe did not invent justice; man did.
> Unfortunately, man must reside in the universe.
> 
>                                         -- Zelazny
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users

--
Martin Roesch
roesch at ...421...
http://www.snort.org




More information about the Snort-users mailing list