Snort mailing list archives
RE: NAT Penetration Techniques
From: "Jeff DuVall" <abyssleaper () hotmail com>
Date: Wed, 06 Mar 2002 10:32:59 -0800
While I'm not an expert at NAT/Penetration/SNORT, I might be able to shed some light for you. I have a similar setup where my Firewall NAT's all connections to the outside world. For example, I might have 10 connections to the outside world from the following 10 imaginary internal IP's:
192.168.1.1 192.168.1.2 .. 192.168.1.10and they will all appear to the outside world as 198.6.1.1 (if that is my public NAT ip) You firewall keeps track of which internal IP's have initiated a connection, and routes the traffic to the correct workstation, even though you have NAT in place. The reason you are seeing these alerts is due to the fact that your firewall is re-routing the packets to the correct IP, and your internal Snort is giving you the alert on the payload contained in that packet. The external sources dont' have any idea what your internal addresses, and couldn't use them unless they had access to your internal network.
On my system, the majority of the shellcode alerts are false, as the signature is picking up on HTML code from normal web traffic.
Just my thoughts here.. -Jeff <..snip..>
From: "Basil Saragoza" <snortlst () hotmail com> To: <snort-users () lists sourceforge net> Date: Tue, 5 Mar 2002 18:24:30 -0500 Subject: [Snort-users] NAT penetration techniquesI'm not really sure this forum is a plcae to ask those questions, but >maybeyou can give me a hint... I run 2 snort sensors: first sniffs traffic coming to public ip of the firewall, second sniffs the lan ip of the firewall, so I can see whichtraffic comes from the internet and which one is actually penetrated >insidemy lan through firewall. I shellcode atacks and other icmp activity that are directed to >computers inside my lan - some workstations let'say. Some of those workstations >have dhcp ip address and some have static (from 10.0.0.x range).Those workstations ip addresses use hidden NAT when they go to internet and outside worls has knowledge of the hidden nat ip address but not of teh particular 10.something address.That's my understanding..... In snort I see attackes directed to 10.0.0.x addresses.HOW OUTSIDE WORLD ATTACKERS CAN KNOW WHICH IP ADDRESSES I USE >INTERNALLY ANDHOW CAN THEY ATTACK THOSE WORKSTATIONS, DO THEY BYPASS NAT SOMEHOW? thx.
_________________________________________________________________ Send and receive Hotmail on your mobile device: http://mobile.msn.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- NAT penetration techniques Basil Saragoza (Mar 05)
- <Possible follow-ups>
- RE: NAT Penetration Techniques Jeff DuVall (Mar 06)
- Re: RE: NAT Penetration Techniques Basil Saragoza (Mar 06)
- Re: RE: NAT Penetration Techniques J. Craig Woods (Mar 06)
- Re: RE: NAT Penetration Techniques Basil Saragoza (Mar 06)
- Re: RE: NAT Penetration Techniques Jeff DuVall (Mar 06)