[Snort-users] RE: NAT Penetration Techniques

Jeff DuVall abyssleaper at ...125...
Wed Mar 6 13:10:06 EST 2002

I'd agree with Craig on this also.  I was commenting on the reason that you 
are seeing your internal LAN IP's in your snort alerts, instead of your 
global NAT.  Upon investigation of most of *MY* shellcode alerts, they have 
been false positives from generic HTML traffic from reputable sites.

Good luck.


>From: "J. Craig Woods" <drjung at ...2066...>
>To: Basil Saragoza <snortlst at ...125...>
>CC: Jeff DuVall <abyssleaper at ...125...>, 
>snort-users at lists.sourceforge.net
>Subject: Re: [Snort-users] RE:  NAT Penetration Techniques
>Date: Wed, 06 Mar 2002 14:18:05 -0600
>MIME-Version: 1.0
>Received: from [] by hotmail.com (3.2) with ESMTP id 
>MHotMailBE4FC263004A400431CF0429215FF5080; Wed, 06 Mar 2002 12:09:08 -0800
>Received: from sprynet.com (localhost.localdomain [])by 
>sherman.trismegistus.net (8.11.6/8.11.6) with ESMTP id g26KI6P10585;Wed, 6 
>Mar 2002 14:18:06 -0600
>From drjung at ...2066... Wed, 06 Mar 2002 12:10:36 -0800
>Sender: root at ...5219...
>Message-ID: <3C86797D.599C86A4 at ...2066...>
>X-Mailer: Mozilla 4.78 [en] (X11; U; Linux 2.4.9-31 i686)
>X-Accept-Language: en
>References: <F183CzOOLixJgTWVg8v00011c25 at ...125...> 
><OE453eCO94Kj32Gcjlk00009912 at ...125...>
>Basil Saragoza wrote:
> >
> > Would it be correct to say that (theoretically at least)
> > If I see in snort lan sensor attacks on my lan workstations it mostly 
> > that the 'initiator' is local workstation and not the external address 
> > people from outside wouldn't know that ws ip is This is the
> > indication that trafic was routed back to that 'initating' lan 
> > and not indication that someone somehow bypasses my NAT on fw.
>No, that would not be a good assumption to operate on. Theoretically,
>almost anything is possible when it comes to networking. You must
>explore the attacks to see if maybe they are false but it is possible to
>attack one of your internel machines from an externel source. Remember
>that your firewall will be doing the translation on the NAT ip back to
>the local machine ip. Therefore, you could be attacked on a local
>machine with NAT sending the attack back to the original ip address for
>the local machine. NAT does *not*, in and of itself, save you from an
>attack on a local machine. Remember that ip header flags are set by
>orinating machine. If I go out to the internet, asking for a connection
>to some external maching, I am creating a "hole" in the firewall, and it
>is not necessary for the external machine to "know" my private ip
>Hope this clarifies (as opposed to obfuscating)...
>J. Craig Woods
>UNIX/NT Network/System Administration
>-Art is the illusion of spontaneity-

Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.

More information about the Snort-users mailing list