[Snort-users] Fun with IPF and Snort

thomas r stromberg tstromberg at ...330...
Mon Mar 19 16:32:40 EST 2001


On 19-Mar-2001, shawn . moyer popped this into my mailspool:
> James Hoagland wrote:
>  
> > If you like that idea, you might want to check out the Deception
> > Toolkit, originally developed a few years ago:
> > 
> >    http://www.all.net/dtk/
> > 
> > Haven't played with it myself, but I heard Fred Cohen talk about it
> > last week at UC Davis.
> 
> DTK is still cool, but it hasn't been very actively maintained for
> awhile. I do some similar stuff with netcat and fake banners (i.e. nc -l
> < banner.txt) to create dummy services and other fun stuff. So far,
> though, redirecting stuff to chargen has been the most fun, just to
> watch someone hit that port and be completely baffled. 

   I have even more fun now.. I setup virtual IP's on my snort box that
   appear to have a 'loaded' inetd setup, which any packet to gets
   logged into snort. Each service is actually an inetd entry pointing
   to a tiny C program I wrote this weekend:

   http://home.chaotical.ly/anglerfish2.c

   That basically sends some format attacks, flash2.c (you remember
   that IRC attack), and a bunch of beeps.. just to annoy the attacker.
   To be nice, it will only run for 10 minutes, and sets it's 'nice'
   priority to 20. It will just pump out data from inetd, and like
   chargen: a lot of it. If your wondering about the line after the
   flash/beeps, it's the keyboard layout in dvorak :)

   For humor, try LeechFTP or PuTTY against it. 

   For extra humor, I also set this on our entire network:

   rdr fxp0 0.0.0.0/0 port 111 -> <angelfish ip> port 111 tcp/udp
   rdr fxp0 0.0.0.0/0 port 135 -> <angelfish ip> port 135 tcp/udp
   rdr fxp0 0.0.0.0/0 port 139 -> <angelfish ip> port 139 tcp/udp

   (disclaimer: I'm not a C programmer. Only tested in FreeBSD)

-- 
thomas r. stromberg                       work: tstromberg at ...330...
research triangle commerce (icc.net)      home: thomas at ...1617...
          "I believe because it is absurd" -- Tertullian.
   
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 230 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20010319/87d24e30/attachment.sig>


More information about the Snort-users mailing list