Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: RE: NAT Penetration Techniques

From: "Basil Saragoza" <snortlst () hotmail com>
Date: Wed, 6 Mar 2002 14:42:53 -0500
Would it be correct to say that (theoretically at least)
If I see in snort lan sensor attacks on my lan workstations it mostly means
that the 'initiator' is local workstation and not the external address cause
people from outside wouldn't know that ws ip is 10.0.0.234. This is the
indication that trafic was routed back to that 'initating' lan workstation,
and not indication that someone somehow bypasses my NAT on fw.
----- Original Message -----
From: "Jeff DuVall" <abyssleaper () hotmail com>
To: <snort-users () lists sourceforge net>
Sent: Wednesday, March 06, 2002 1:32 PM
Subject: [Snort-users] RE: NAT Penetration Techniques





While I'm not an expert at NAT/Penetration/SNORT, I might be able to shed
some light for you.  I have a similar setup where my Firewall NAT's all
connections to the outside world. For example, I might have 10 connections
to the outside world from the following 10 imaginary internal IP's:

192.168.1.1
192.168.1.2
..
192.168.1.10

and they will all appear to the outside world as 198.6.1.1 (if that is my
public NAT ip)  You firewall keeps track of which internal IP's have
initiated a connection, and routes the traffic to the correct workstation,
even though you have NAT in place.  The reason you are seeing these alerts
is due to the fact that your firewall is re-routing the packets to the
correct IP, and your internal Snort is giving you the alert on the payload
contained in that packet.  The external sources dont' have any idea what
your internal addresses, and couldn't use  them unless they had access to
your internal network.

On my system, the majority of the shellcode alerts are false, as the
signature is picking up on HTML code from normal web traffic.

Just my thoughts here..

-Jeff

<..snip..>

From: "Basil Saragoza" <snortlst () hotmail com>
To: <snort-users () lists sourceforge net>
Date: Tue, 5 Mar 2002 18:24:30 -0500
Subject: [Snort-users] NAT penetration techniques

I'm not really sure this forum is a plcae to ask those questions, but

maybe

you can give me a hint...
I run 2 snort sensors: first sniffs traffic coming to public ip of the
firewall, second sniffs the lan ip of the firewall, so I can see which
traffic comes from the internet and which one is actually penetrated

inside

my lan through firewall.

I shellcode atacks and other icmp activity that are directed to

computers

inside my lan - some workstations let'say. Some of those workstations

have

dhcp ip address and some have static (from 10.0.0.x range).Those
workstations ip addresses use hidden NAT when they go to internet and
outside worls has knowledge of the hidden nat ip address but not of teh
particular 10.something address.That's my understanding.....
In snort I see attackes directed to 10.0.0.x addresses.
HOW OUTSIDE WORLD ATTACKERS CAN KNOW WHICH IP ADDRESSES I USE >INTERNALLY
AND
HOW CAN THEY ATTACK THOSE WORKSTATIONS, DO THEY BYPASS NAT SOMEHOW?
thx.



_________________________________________________________________
Send and receive Hotmail on your mobile device: http://mobile.msn.com


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: