RE: Rules for non existent IPs

[Frank Knobbe <frank () knobbe us>]

On Fri, 2004-04-23 at 15:11, Marc Cozzi wrote:
> configured snort.conf to include the portscan.rules file
> then went to an off site system and ran ping, nmap and
> telnet against X.X.X.1. It didn't trigger the rules.
> Any ideas?

Hehe... I see. Yeah, I think know what's going on. You are behind a
router, and want Snort to catch packets to IP's that don't exist. Well,
your router (receiving the request from the Internet) has no clue where
to send the packets to since no one responds to its ARP requests, so the
router drops them (or perhaps even sends an ICMP-host-unreachable back).

There are three ways to get the traffic to your Snort box. 
1) Assign those IP's to the Snort box itself. That way it will respond
to the routers ARP requests and receive the packets. This doesn't work
if you run Snort on a network tap though.

2) Create static ARP entries in your router that relate those unused IP
addresses with the MAC address of the Snort box, or MAC address on the
segment that Snort can monitor.

3) (and my favorite) Run the LaBrea tar pit on the Snort box, or another
box on the segment that Snort monitors. LaBrea will respond to ARP
requests of unused hosts and pretend to be that host, but then it just
tarpit TCP sessions (or blackhole UDP).

If you don't do any of this, your router won't send the packets anywhere
since they don't exist :)

Regards,
Frank

PS: I cc'ed the snort list since others may have the same problem.

-- 
Warning at the Gates of Bill:  
Abandon hope, all ye who press <ENTER> here...

Attachment: signature.asc
Description: This is a digitally signed message part