Snort.org home  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Downloads Snort Docs Rules Snort Community Snort Forums Snort Training
Search Site
Search Rules
Account
email
password
not registered?
user preferences

Snort Forums Archive

Archive Home » Snort Advanced » Detect NAT traffic?

Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.

[ Notice: Full Version of This Topic ]

Detect NAT traffic?


Posted by jeep_jeremy on August 22, 2005 06:56:35

I'm using Snort to watch traffic on our Residence Hall Network (students bring interesting stuff to school with them, especially viruses, trojans, worms...). One problem we have is students plugging in wireless routers to our network and leaving a huge security hole. If it was just a WAP i could just run netstumbler and compare the MAC addresses to those in our switches but everyone is bringing routers so that doesn't work anymore.

So, is there a way to write a rule to have Snort analyze traffic to determine if it is NAT'd? I'm guessing it would be difficult, but thought it was worth a shot.

Thanks,
Jeremy

Posted by Joel_Esler on August 26, 2005 12:12:45

Theoretically Snort could do it, but it would take alot of analysis. (you'd have to be looking for degraded
TTL's in a packet). If you're stuck on using OpenSource (as opposed to using RNA) I would look into p0f.
site feedback | Terms of Use | Privacy Policy | forum archives ©2008 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.