[Snort-users] RE: NAT Penetration Techniques
abyssleaper at ...125...
Wed Mar 6 13:10:06 EST 2002
I'd agree with Craig on this also. I was commenting on the reason that you
are seeing your internal LAN IP's in your snort alerts, instead of your
global NAT. Upon investigation of most of *MY* shellcode alerts, they have
been false positives from generic HTML traffic from reputable sites.
>From: "J. Craig Woods" <drjung at ...2066...>
>To: Basil Saragoza <snortlst at ...125...>
>CC: Jeff DuVall <abyssleaper at ...125...>,
>snort-users at lists.sourceforge.net
>Subject: Re: [Snort-users] RE: NAT Penetration Techniques
>Date: Wed, 06 Mar 2002 14:18:05 -0600
>Received: from [18.104.22.168] by hotmail.com (3.2) with ESMTP id
>MHotMailBE4FC263004A400431CF0429215FF5080; Wed, 06 Mar 2002 12:09:08 -0800
>Received: from sprynet.com (localhost.localdomain [127.0.0.1])by
>sherman.trismegistus.net (8.11.6/8.11.6) with ESMTP id g26KI6P10585;Wed, 6
>Mar 2002 14:18:06 -0600
>From drjung at ...2066... Wed, 06 Mar 2002 12:10:36 -0800
>Sender: root at ...5219...
>Message-ID: <3C86797D.599C86A4 at ...2066...>
>X-Mailer: Mozilla 4.78 [en] (X11; U; Linux 2.4.9-31 i686)
>References: <F183CzOOLixJgTWVg8v00011c25 at ...125...>
><OE453eCO94Kj32Gcjlk00009912 at ...125...>
>Basil Saragoza wrote:
> > Would it be correct to say that (theoretically at least)
> > If I see in snort lan sensor attacks on my lan workstations it mostly
> > that the 'initiator' is local workstation and not the external address
> > people from outside wouldn't know that ws ip is 10.0.0.234. This is the
> > indication that trafic was routed back to that 'initating' lan
> > and not indication that someone somehow bypasses my NAT on fw.
>No, that would not be a good assumption to operate on. Theoretically,
>almost anything is possible when it comes to networking. You must
>explore the attacks to see if maybe they are false but it is possible to
>attack one of your internel machines from an externel source. Remember
>that your firewall will be doing the translation on the NAT ip back to
>the local machine ip. Therefore, you could be attacked on a local
>machine with NAT sending the attack back to the original ip address for
>the local machine. NAT does *not*, in and of itself, save you from an
>attack on a local machine. Remember that ip header flags are set by
>orinating machine. If I go out to the internet, asking for a connection
>to some external maching, I am creating a "hole" in the firewall, and it
>is not necessary for the external machine to "know" my private ip
>Hope this clarifies (as opposed to obfuscating)...
>J. Craig Woods
>UNIX/NT Network/System Administration
>-Art is the illusion of spontaneity-
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.
More information about the Snort-users