[Snort-users] RE: NAT Penetration Techniques

Jeff DuVall abyssleaper at ...125...
Wed Mar 6 13:10:06 EST 2002


I'd agree with Craig on this also.  I was commenting on the reason that you 
are seeing your internal LAN IP's in your snort alerts, instead of your 
global NAT.  Upon investigation of most of *MY* shellcode alerts, they have 
been false positives from generic HTML traffic from reputable sites.

Good luck.

-Jeff


>From: "J. Craig Woods" <drjung at ...2066...>
>To: Basil Saragoza <snortlst at ...125...>
>CC: Jeff DuVall <abyssleaper at ...125...>, 
>snort-users at lists.sourceforge.net
>Subject: Re: [Snort-users] RE:  NAT Penetration Techniques
>Date: Wed, 06 Mar 2002 14:18:05 -0600
>MIME-Version: 1.0
>Received: from [4.41.33.95] by hotmail.com (3.2) with ESMTP id 
>MHotMailBE4FC263004A400431CF0429215FF5080; Wed, 06 Mar 2002 12:09:08 -0800
>Received: from sprynet.com (localhost.localdomain [127.0.0.1])by 
>sherman.trismegistus.net (8.11.6/8.11.6) with ESMTP id g26KI6P10585;Wed, 6 
>Mar 2002 14:18:06 -0600
>From drjung at ...2066... Wed, 06 Mar 2002 12:10:36 -0800
>Sender: root at ...5219...
>Message-ID: <3C86797D.599C86A4 at ...2066...>
>X-Mailer: Mozilla 4.78 [en] (X11; U; Linux 2.4.9-31 i686)
>X-Accept-Language: en
>References: <F183CzOOLixJgTWVg8v00011c25 at ...125...> 
><OE453eCO94Kj32Gcjlk00009912 at ...125...>
>
>Basil Saragoza wrote:
> >
> > Would it be correct to say that (theoretically at least)
> > If I see in snort lan sensor attacks on my lan workstations it mostly 
>means
> > that the 'initiator' is local workstation and not the external address 
>cause
> > people from outside wouldn't know that ws ip is 10.0.0.234. This is the
> > indication that trafic was routed back to that 'initating' lan 
>workstation,
> > and not indication that someone somehow bypasses my NAT on fw.
>
>No, that would not be a good assumption to operate on. Theoretically,
>almost anything is possible when it comes to networking. You must
>explore the attacks to see if maybe they are false but it is possible to
>attack one of your internel machines from an externel source. Remember
>that your firewall will be doing the translation on the NAT ip back to
>the local machine ip. Therefore, you could be attacked on a local
>machine with NAT sending the attack back to the original ip address for
>the local machine. NAT does *not*, in and of itself, save you from an
>attack on a local machine. Remember that ip header flags are set by
>orinating machine. If I go out to the internet, asking for a connection
>to some external maching, I am creating a "hole" in the firewall, and it
>is not necessary for the external machine to "know" my private ip
>address.
>
>Hope this clarifies (as opposed to obfuscating)...
>
>--
>J. Craig Woods
>UNIX/NT Network/System Administration
>
>-Art is the illusion of spontaneity-




_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.





More information about the Snort-users mailing list