Hosting Provided By

Re: [Snort-devel] icmpspoof preprocessor for snort

From: John Papapanos <jpa3nos(at)lab.epmhs.gr>
Date: Wed Apr 23 2003 - 05:27:07 EDT

Original Message ----- From: "Chris Green" <cmg@sourcefire.com> To: "John Papapanos" <jpa3nos@lab.epmhs.gr> Cc: <Snort-devel@lists.sourceforge.net> Sent: Wednesday, April 23, 2003 12:52 AM Subject: Re: [Snort-devel] icmpspoof preprocessor for snort

Couldn't agree more, my code needs a lot of fixing.

> 2) It seems that you are using global arguments to pass values between

The _DN and _SN functions are mostly the same but DN and SN structs are different,
using different pointers and other fields.So i needed to write a slightly different code to
implement each one. (Hope I undertood what you meant)

> 3) Have you thought about implementing this as a call back for

No i havent thought of that. When i started writing this preproc the portscan2 wasnt there.
I'll look into it. Do you think it is a better solution?

Do you need help?

> 4) Is there any consideration for an attacker generating lots of

Very good point. Its on the top of my TO DO list. The only protection mechanism for this is that i check my lists before i make any new
insertion or before i search them to find a matching Request. If the nodes inside the list have
a time field less than than the threshold time, then these nodes are deleted. A problem could exist
if the attacker sends too many packets within the Timeout limit.(default 3 secs)

> 5) To detect spoofed packets, perhaps you should allow one mac address

If i'm getting it right this would detect only spoofed packets passing through snort.
In this preproc if someone outside the protected net sends a spoofed Request to another outside
host spoofing the address of an inside host, then the Reply(not spoofed) that will be sent to the protected net will pass through Snort and will generate an alert because no Request was stored in my lists for this Reply.The same is
happening with the Unreachable messages.

I will send you some snapshots of how the lists in the preproc look like, so it would be easier
for someone to look into the code.

I know im not much of a programmer and my code needs a lot of fixing, but i think this preproc could be evolved into something usefull.

Thanks for your comments-advices.

This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven.
http://thinkgeek.com/sf

Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel

application/x-zip-compressed attachment: Snapshots.zip

Received on Wed Apr 23 05:46:31 2003

Do you need more help?

This message: [ Message body ]
Next message: Glenn Mansfield Keeni: "Re: [Snort-devel] Crude port of SNMP for Win32 available"
In reply to Chris Green: "Re: [Snort-devel] icmpspoof preprocessor for snort"
Reply: John Papapanos: "Re: [Snort-devel] icmpspoof preprocessor for snort"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:05 EDT