Snort mailing list archives
RE: Rules for non existent IPs
From: Frank Knobbe <frank () knobbe us>
Date: Fri, 23 Apr 2004 15:22:55 -0500
On Fri, 2004-04-23 at 15:11, Marc Cozzi wrote:
configured snort.conf to include the portscan.rules file then went to an off site system and ran ping, nmap and telnet against X.X.X.1. It didn't trigger the rules. Any ideas?
Hehe... I see. Yeah, I think know what's going on. You are behind a router, and want Snort to catch packets to IP's that don't exist. Well, your router (receiving the request from the Internet) has no clue where to send the packets to since no one responds to its ARP requests, so the router drops them (or perhaps even sends an ICMP-host-unreachable back). There are three ways to get the traffic to your Snort box. 1) Assign those IP's to the Snort box itself. That way it will respond to the routers ARP requests and receive the packets. This doesn't work if you run Snort on a network tap though. 2) Create static ARP entries in your router that relate those unused IP addresses with the MAC address of the Snort box, or MAC address on the segment that Snort can monitor. 3) (and my favorite) Run the LaBrea tar pit on the Snort box, or another box on the segment that Snort monitors. LaBrea will respond to ARP requests of unused hosts and pretend to be that host, but then it just tarpit TCP sessions (or blackhole UDP). If you don't do any of this, your router won't send the packets anywhere since they don't exist :) Regards, Frank PS: I cc'ed the snort list since others may have the same problem. -- Warning at the Gates of Bill: Abandon hope, all ye who press <ENTER> here...
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Rules for non existent IPs Marc Cozzi (Apr 23)
- Re: Rules for non existent IPs Frank Knobbe (Apr 23)
- <Possible follow-ups>
- RE: Rules for non existent IPs Frank Knobbe (Apr 23)