[Snort-users] Fun with IPF and Snort
cpw at ...440...
Mon Mar 19 17:45:15 EST 2001
I take it you have taken this into account:
% attack -s 184.108.40.206 -d 220.127.116.11 -forever
On Mon, Mar 19, 2001 at 04:32:40PM -0500, thomas r stromberg wrote:
> On 19-Mar-2001, shawn . moyer popped this into my mailspool:
> > James Hoagland wrote:
> > > If you like that idea, you might want to check out the Deception
> > > Toolkit, originally developed a few years ago:
> > >
> > > http://www.all.net/dtk/
> > >
> > > Haven't played with it myself, but I heard Fred Cohen talk about it
> > > last week at UC Davis.
> > DTK is still cool, but it hasn't been very actively maintained for
> > awhile. I do some similar stuff with netcat and fake banners (i.e. nc -l
> > < banner.txt) to create dummy services and other fun stuff. So far,
> > though, redirecting stuff to chargen has been the most fun, just to
> > watch someone hit that port and be completely baffled.
> I have even more fun now.. I setup virtual IP's on my snort box that
> appear to have a 'loaded' inetd setup, which any packet to gets
> logged into snort. Each service is actually an inetd entry pointing
> to a tiny C program I wrote this weekend:
> That basically sends some format attacks, flash2.c (you remember
> that IRC attack), and a bunch of beeps.. just to annoy the attacker.
> To be nice, it will only run for 10 minutes, and sets it's 'nice'
> priority to 20. It will just pump out data from inetd, and like
> chargen: a lot of it. If your wondering about the line after the
> flash/beeps, it's the keyboard layout in dvorak :)
> For humor, try LeechFTP or PuTTY against it.
> For extra humor, I also set this on our entire network:
> rdr fxp0 0.0.0.0/0 port 111 -> <angelfish ip> port 111 tcp/udp
> rdr fxp0 0.0.0.0/0 port 135 -> <angelfish ip> port 135 tcp/udp
> rdr fxp0 0.0.0.0/0 port 139 -> <angelfish ip> port 139 tcp/udp
> (disclaimer: I'm not a C programmer. Only tested in FreeBSD)
> thomas r. stromberg work: tstromberg at ...330...
> research triangle commerce (icc.net) home: thomas at ...1617...
> "I believe because it is absurd" -- Tertullian.
Phil Wood, cpw at ...440...
More information about the Snort-users