[Snort-users] Fun with IPF and Snort
thomas r stromberg
tstromberg at ...330...
Mon Mar 19 16:32:40 EST 2001
On 19-Mar-2001, shawn . moyer popped this into my mailspool:
> James Hoagland wrote:
> > If you like that idea, you might want to check out the Deception
> > Toolkit, originally developed a few years ago:
> > http://www.all.net/dtk/
> > Haven't played with it myself, but I heard Fred Cohen talk about it
> > last week at UC Davis.
> DTK is still cool, but it hasn't been very actively maintained for
> awhile. I do some similar stuff with netcat and fake banners (i.e. nc -l
> < banner.txt) to create dummy services and other fun stuff. So far,
> though, redirecting stuff to chargen has been the most fun, just to
> watch someone hit that port and be completely baffled.
I have even more fun now.. I setup virtual IP's on my snort box that
appear to have a 'loaded' inetd setup, which any packet to gets
logged into snort. Each service is actually an inetd entry pointing
to a tiny C program I wrote this weekend:
That basically sends some format attacks, flash2.c (you remember
that IRC attack), and a bunch of beeps.. just to annoy the attacker.
To be nice, it will only run for 10 minutes, and sets it's 'nice'
priority to 20. It will just pump out data from inetd, and like
chargen: a lot of it. If your wondering about the line after the
flash/beeps, it's the keyboard layout in dvorak :)
For humor, try LeechFTP or PuTTY against it.
For extra humor, I also set this on our entire network:
rdr fxp0 0.0.0.0/0 port 111 -> <angelfish ip> port 111 tcp/udp
rdr fxp0 0.0.0.0/0 port 135 -> <angelfish ip> port 135 tcp/udp
rdr fxp0 0.0.0.0/0 port 139 -> <angelfish ip> port 139 tcp/udp
(disclaimer: I'm not a C programmer. Only tested in FreeBSD)
thomas r. stromberg work: tstromberg at ...330...
research triangle commerce (icc.net) home: thomas at ...1617...
"I believe because it is absurd" -- Tertullian.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 230 bytes
Desc: not available
More information about the Snort-users