[Snort-users] Fun with IPF and Snort

Phil Wood cpw at ...440...
Mon Mar 19 17:45:15 EST 2001


Hmmm,

   I take it you have taken this into account:

   % attack -s 66.26.231.27 -d 66.26.231.27 -forever

%^)

On Mon, Mar 19, 2001 at 04:32:40PM -0500, thomas r stromberg wrote:
> On 19-Mar-2001, shawn . moyer popped this into my mailspool:
> > James Hoagland wrote:
> >  
> > > If you like that idea, you might want to check out the Deception
> > > Toolkit, originally developed a few years ago:
> > > 
> > >    http://www.all.net/dtk/
> > > 
> > > Haven't played with it myself, but I heard Fred Cohen talk about it
> > > last week at UC Davis.
> > 
> > DTK is still cool, but it hasn't been very actively maintained for
> > awhile. I do some similar stuff with netcat and fake banners (i.e. nc -l
> > < banner.txt) to create dummy services and other fun stuff. So far,
> > though, redirecting stuff to chargen has been the most fun, just to
> > watch someone hit that port and be completely baffled. 
> 
>    I have even more fun now.. I setup virtual IP's on my snort box that
>    appear to have a 'loaded' inetd setup, which any packet to gets
>    logged into snort. Each service is actually an inetd entry pointing
>    to a tiny C program I wrote this weekend:
> 
>    http://home.chaotical.ly/anglerfish2.c
> 
>    That basically sends some format attacks, flash2.c (you remember
>    that IRC attack), and a bunch of beeps.. just to annoy the attacker.
>    To be nice, it will only run for 10 minutes, and sets it's 'nice'
>    priority to 20. It will just pump out data from inetd, and like
>    chargen: a lot of it. If your wondering about the line after the
>    flash/beeps, it's the keyboard layout in dvorak :)
> 
>    For humor, try LeechFTP or PuTTY against it. 
> 
>    For extra humor, I also set this on our entire network:
> 
>    rdr fxp0 0.0.0.0/0 port 111 -> <angelfish ip> port 111 tcp/udp
>    rdr fxp0 0.0.0.0/0 port 135 -> <angelfish ip> port 135 tcp/udp
>    rdr fxp0 0.0.0.0/0 port 139 -> <angelfish ip> port 139 tcp/udp
> 
>    (disclaimer: I'm not a C programmer. Only tested in FreeBSD)
> 
> -- 
> thomas r. stromberg                       work: tstromberg at ...330...
> research triangle commerce (icc.net)      home: thomas at ...1617...
>           "I believe because it is absurd" -- Tertullian.
>    


-- 
Phil Wood, cpw at ...440...





More information about the Snort-users mailing list