Re: Snort Log Despoofer

[Chris Green <cmg () sourcefire com>]

Glenn Larsson <ichinin () swipnet se> writes:

> Hi Scot.
>
> Do note; It's beta, i've only tried it in my Home network so even i
> can't tell with 100% accuracy how it will behave, even though it
> just read the Alert file and send ICMP_Echo to the hosts; Hence the
> warning - Do not use the program in a production environment.
>
> Anyways, i've been thinking about releasing the sourcecode, if i
> decide to release it it'll probably be on My page or Sourceforge. It
> won't happen today though - maby Saturday/Sunday.

Just as a note, ATTACK RESPONSES is designed to show whats coming from
your network and so measuring the internal TTL is showing how your
routes have changed.

Comparing TTL after the fact and a differences could ( would likely ) mean
routing changes.

TCP rules are nearly impossible to spoof when using the stateful
inspection stream4 capabilities in conjunction with

config stateful

in your config file.

Cheers,
Chris
-- 
Chris Green <cmg () sourcefire com>
 "Not everyone holds these truths to be self-evident, so we've worked
                  up a proof of them as Appendix A." --  Paul Prescod

_______________________________________________________________

Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: bandwidth () sourceforge net
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users