[Snort-users] NAT penetration techniques

Basil Saragoza snortlst at ...125...
Tue Mar 5 15:25:31 EST 2002


I'm not really sure this forum is a plcae to ask those questions, but maybe
you can give me a hint...
I run 2 snort sensors: first sniffs traffic coming to public ip of the
firewall, second sniffs the lan ip of the firewall, so I can see which
traffic comes from the internet and which one is actually penetrated inside
my lan through firewall.

I shellcode atacks and other icmp activity that are directed to computers
inside my lan - some workstations let'say. Some of those workstations have
dhcp ip address and some have static (from 10.0.0.x range).Those
workstations ip addresses use hidden NAT when they go to internet and
outside worls has knowledge of the hidden nat ip address but not of teh
particular 10.something address.That's my understanding.....
In snort I see attackes directed to 10.0.0.x addresses.
HOW OUTSIDE WORLD ATTACKERS CAN KNOW WHICH IP ADDRESSES I USE INTERNALLY AND
HOW CAN THEY ATTACK THOSE WORKSTATIONS, DO THEY BYPASS NAT SOMEHOW?
thx.




More information about the Snort-users mailing list