Snort mailing list archives
Re: Locate address spoofer?
From: creining () packetfu org
Date: Fri, 13 Sep 2002 20:14:46 -0500
If you suspect a spoofer, one quick test to confirm/deny is to use the utility despoof by Simple Nomad (http://razor.bindview.com/tools). You can compare the TTL logged with a packet with the TTL you receive from despoof. If an attacker is spoofing a packet, the TTL in that packet will not be the correct TTL of one created _at_ that address (unless they are really paranoid and tweak the TTL). Believe it or not routes do change, so this tool is best utilized asap. -Chris On Fri, 13 Sep 2002 08:20:42 -0700 spyguy <spyguy703 () earthlink net> wrote:
If I suspect a source address has been spoofed, how would I go about finding the REAL source of an attack? Is this possible? ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Locate address spoofer? spyguy (Sep 13)
- Re: Locate address spoofer? hackerwacker (Sep 13)
- Re: Locate address spoofer? creining (Sep 13)