Re: RE: NAT Penetration Techniques

["Jeff DuVall" <abyssleaper () hotmail com>]

I'd agree with Craig on this also.  I was commenting on the reason that you 
are seeing your internal LAN IP's in your snort alerts, instead of your 
global NAT.  Upon investigation of most of *MY* shellcode alerts, they have 
been false positives from generic HTML traffic from reputable sites.

Good luck.

-Jeff


> From: "J. Craig Woods" <drjung () sprynet com>
> To: Basil Saragoza <snortlst () hotmail com>
> CC: Jeff DuVall <abyssleaper () hotmail com>, 
> snort-users () lists sourceforge net
> Subject: Re: [Snort-users] RE:  NAT Penetration Techniques
> Date: Wed, 06 Mar 2002 14:18:05 -0600
> MIME-Version: 1.0
> Received: from [4.41.33.95] by hotmail.com (3.2) with ESMTP id 
> MHotMailBE4FC263004A400431CF0429215FF5080; Wed, 06 Mar 2002 12:09:08 -0800
> Received: from sprynet.com (localhost.localdomain [127.0.0.1])by 
> sherman.trismegistus.net (8.11.6/8.11.6) with ESMTP id g26KI6P10585;Wed, 6 
> Mar 2002 14:18:06 -0600
> From drjung () sprynet com Wed, 06 Mar 2002 12:10:36 -0800
> Sender: root () sherman trismegistus net
> Message-ID: <3C86797D.599C86A4 () sprynet com>
> X-Mailer: Mozilla 4.78 [en] (X11; U; Linux 2.4.9-31 i686)
> X-Accept-Language: en
> References: <F183CzOOLixJgTWVg8v00011c25 () hotmail com> 
> <OE453eCO94Kj32Gcjlk00009912 () hotmail com>
>
> Basil Saragoza wrote:
> >
> > Would it be correct to say that (theoretically at least)
> > If I see in snort lan sensor attacks on my lan workstations it mostly 
> means
> > that the 'initiator' is local workstation and not the external address 
> cause
> > people from outside wouldn't know that ws ip is 10.0.0.234. This is the
> > indication that trafic was routed back to that 'initating' lan 
> workstation,
> > and not indication that someone somehow bypasses my NAT on fw.
>
> No, that would not be a good assumption to operate on. Theoretically,
> almost anything is possible when it comes to networking. You must
> explore the attacks to see if maybe they are false but it is possible to
> attack one of your internel machines from an externel source. Remember
> that your firewall will be doing the translation on the NAT ip back to
> the local machine ip. Therefore, you could be attacked on a local
> machine with NAT sending the attack back to the original ip address for
> the local machine. NAT does *not*, in and of itself, save you from an
> attack on a local machine. Remember that ip header flags are set by
> orinating machine. If I go out to the internet, asking for a connection
> to some external maching, I am creating a "hole" in the firewall, and it
> is not necessary for the external machine to "know" my private ip
> address.
>
> Hope this clarifies (as opposed to obfuscating)...
>
> --
> J. Craig Woods
> UNIX/NT Network/System Administration
>
> -Art is the illusion of spontaneity-




_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users