Snort mailing list archives
Re: RE: NAT Penetration Techniques
From: "Jeff DuVall" <abyssleaper () hotmail com>
Date: Wed, 06 Mar 2002 13:02:24 -0800
I'd agree with Craig on this also. I was commenting on the reason that you are seeing your internal LAN IP's in your snort alerts, instead of your global NAT. Upon investigation of most of *MY* shellcode alerts, they have been false positives from generic HTML traffic from reputable sites.
Good luck. -Jeff
From: "J. Craig Woods" <drjung () sprynet com> To: Basil Saragoza <snortlst () hotmail com>CC: Jeff DuVall <abyssleaper () hotmail com>, snort-users () lists sourceforge netSubject: Re: [Snort-users] RE: NAT Penetration Techniques Date: Wed, 06 Mar 2002 14:18:05 -0600 MIME-Version: 1.0Received: from [4.41.33.95] by hotmail.com (3.2) with ESMTP id MHotMailBE4FC263004A400431CF0429215FF5080; Wed, 06 Mar 2002 12:09:08 -0800 Received: from sprynet.com (localhost.localdomain [127.0.0.1])by sherman.trismegistus.net (8.11.6/8.11.6) with ESMTP id g26KI6P10585;Wed, 6 Mar 2002 14:18:06 -0600From drjung () sprynet com Wed, 06 Mar 2002 12:10:36 -0800 Sender: root () sherman trismegistus net Message-ID: <3C86797D.599C86A4 () sprynet com> X-Mailer: Mozilla 4.78 [en] (X11; U; Linux 2.4.9-31 i686) X-Accept-Language: enReferences: <F183CzOOLixJgTWVg8v00011c25 () hotmail com> <OE453eCO94Kj32Gcjlk00009912 () hotmail com>Basil Saragoza wrote: > > Would it be correct to say that (theoretically at least)> If I see in snort lan sensor attacks on my lan workstations it mostly means > that the 'initiator' is local workstation and not the external address cause> people from outside wouldn't know that ws ip is 10.0.0.234. This is the> indication that trafic was routed back to that 'initating' lan workstation,> and not indication that someone somehow bypasses my NAT on fw. No, that would not be a good assumption to operate on. Theoretically, almost anything is possible when it comes to networking. You must explore the attacks to see if maybe they are false but it is possible to attack one of your internel machines from an externel source. Remember that your firewall will be doing the translation on the NAT ip back to the local machine ip. Therefore, you could be attacked on a local machine with NAT sending the attack back to the original ip address for the local machine. NAT does *not*, in and of itself, save you from an attack on a local machine. Remember that ip header flags are set by orinating machine. If I go out to the internet, asking for a connection to some external maching, I am creating a "hole" in the firewall, and it is not necessary for the external machine to "know" my private ip address. Hope this clarifies (as opposed to obfuscating)... -- J. Craig Woods UNIX/NT Network/System Administration -Art is the illusion of spontaneity-
_________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- NAT penetration techniques Basil Saragoza (Mar 05)
- <Possible follow-ups>
- RE: NAT Penetration Techniques Jeff DuVall (Mar 06)
- Re: RE: NAT Penetration Techniques Basil Saragoza (Mar 06)
- Re: RE: NAT Penetration Techniques J. Craig Woods (Mar 06)
- Re: RE: NAT Penetration Techniques Basil Saragoza (Mar 06)
- Re: RE: NAT Penetration Techniques Jeff DuVall (Mar 06)