[Snort-users] Snort Log Despoofer

Chris Green cmg at ...1935...
Thu May 16 04:39:02 EDT 2002

Glenn Larsson <ichinin at ...5794...> writes:

> Hi Scot.
> Do note; It's beta, i've only tried it in my Home network so even i
> can't tell with 100% accuracy how it will behave, even though it
> just read the Alert file and send ICMP_Echo to the hosts; Hence the
> warning - Do not use the program in a production environment.
> Anyways, i've been thinking about releasing the sourcecode, if i
> decide to release it it'll probably be on My page or Sourceforge. It
> won't happen today though - maby Saturday/Sunday.

Just as a note, ATTACK RESPONSES is designed to show whats coming from
your network and so measuring the internal TTL is showing how your
routes have changed.

Comparing TTL after the fact and a differences could ( would likely ) mean
routing changes.

TCP rules are nearly impossible to spoof when using the stateful
inspection stream4 capabilities in conjunction with

config stateful

in your config file.

Chris Green <cmg at ...1935...>
 "Not everyone holds these truths to be self-evident, so we've worked
                  up a proof of them as Appendix A." --  Paul Prescod

More information about the Snort-users mailing list