Snort mailing list archives

Previous By Date Next
Previous By Thread Next

attack simulation

From: Bini Mary Thomas <binimary () sasken com>
Date: 05 Feb 2004 18:35:48 +0530
hello all,
         i was trying to simulate security attacks with the help of
CASL. But i am not able to simulate attacks that requires a tcp
connection establishment.Below i have given the program that i tried
with. the snort rule i used is SID 607
the rule is
alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"RSERVICES rsh bin";
flow:to_server,established; content: "bin|00|bin|00|";
reference:arachnids,390; classtype:attempted-user; sid:607; rev:4;)
     
snort is not recognizing this attack.

i blocked the reset packets from going out with the help of iptables.

does anybody have a clue about why snort,being a wire sniffer, not
identifying this attack?

Thanks
Bini

#include "tcpip.casl"
#include "packets.casl"

define buf{}

buff="bin";
buffer= new buf;
buffer[0]=0x00;

external_net = 1.2.3.2;
home_net     = 1.2.3.1;

ourtcp=copy TCP;
ourtcp.tcp_source=21;
ourtcp.tcp_destination=514;
ourtcp.tcp_syn=1;

ourip=copy TCPIP;
ourip.ip_source      = external_net;
ourip.ip_destination = home_net;

ourpacket = [ourip,ourtcp];

ip_output(ourpacket);

ourfilter=["src host ", home_net, " and tcp src port ",  514];

readpacket=ip_input(2000,ourfilter);

if(readpacket==0)
        print("no server");

if(size(readpacket)< size(IP)+ size(TCP))
        print("size is not matching");

readip  = extract ip from readpacket;
readtcp = extract tcp from readpacket;

if(readtcp.tcp_ack!=1 || readtcp.tcp_syn!=1 || readtcp.tcp_rst==1)
        print("connection not accepted");

ourtcp.tcp_ack=1;
ourtcp.tcp_ackno=readtcp.tcp_seqno+1;
ourackpacket=[ourip,ourtcp,buff,buffer,buff,buffer];

ip_output(ourackpacket);

-- 

***********************************************************************

PLEASE VISIT US AT STAND E13B, AT 3GSM WORLD CONGRESS 2004, CANNES.

********************************************************************

SASKEN BUSINESS DISCLAIMER

This message may contain confidential, proprietary or legally Privileged information. In case you are not the original 
intended Recipient of the message, you must not, directly or indirectly, use, Disclose, distribute, print, or copy any 
part of this message and you are requested to delete it and inform the sender. Any views expressed in this message are 
those of the individual sender unless otherwise stated. Nothing contained in this message shall be construed as an 
offer or acceptance of any offer by Sasken Communication Technologies Limited ("Sasken") unless sent with that express 
intent and with due authority of Sasken. Sasken has taken enough precautions to prevent the spread of viruses. However 
the company accepts no liability for any damage caused by any virus transmitted by this email.

***********************************************************************
Previous By Date Next
Previous By Thread Next

Current thread: