[Snort-users] attack simulation

Bini Mary Thomas binimary at ...11145...
Thu Feb 5 05:06:05 EST 2004


hello all,
         i was trying to simulate security attacks with the help of
CASL. But i am not able to simulate attacks that requires a tcp
connection establishment.Below i have given the program that i tried
with. the snort rule i used is SID 607
the rule is
alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"RSERVICES rsh bin";
flow:to_server,established; content: "bin|00|bin|00|";
reference:arachnids,390; classtype:attempted-user; sid:607; rev:4;)
     
snort is not recognizing this attack.

i blocked the reset packets from going out with the help of iptables.

does anybody have a clue about why snort,being a wire sniffer, not
identifying this attack?

Thanks
Bini

#include "tcpip.casl"
#include "packets.casl"

define buf{}

buff="bin";
buffer= new buf;
buffer[0]=0x00;

external_net = 1.2.3.2;
home_net     = 1.2.3.1;

ourtcp=copy TCP;
ourtcp.tcp_source=21;
ourtcp.tcp_destination=514;
ourtcp.tcp_syn=1;

ourip=copy TCPIP;
ourip.ip_source      = external_net;
ourip.ip_destination = home_net;

ourpacket = [ourip,ourtcp];

ip_output(ourpacket);

ourfilter=["src host ", home_net, " and tcp src port ",  514];

readpacket=ip_input(2000,ourfilter);

if(readpacket==0)
	print("no server");

if(size(readpacket)< size(IP)+ size(TCP))
	print("size is not matching");

readip  = extract ip from readpacket;
readtcp = extract tcp from readpacket;

if(readtcp.tcp_ack!=1 || readtcp.tcp_syn!=1 || readtcp.tcp_rst==1)
	print("connection not accepted");

ourtcp.tcp_ack=1;
ourtcp.tcp_ackno=readtcp.tcp_seqno+1;
ourackpacket=[ourip,ourtcp,buff,buffer,buff,buffer];

ip_output(ourackpacket);

-- 
-------------- next part --------------
***********************************************************************

PLEASE VISIT US AT STAND E13B, AT 3GSM WORLD CONGRESS 2004, CANNES.

********************************************************************

SASKEN BUSINESS DISCLAIMER

This message may contain confidential, proprietary or legally Privileged information. In case you are not the original intended Recipient of the message, you must not, directly or indirectly, use, Disclose, distribute, print, or copy any part of this message and you are requested to delete it and inform the sender. Any views expressed in this message are those of the individual sender unless otherwise stated. Nothing contained in this message shall be construed as an offer or acceptance of any offer by Sasken Communication Technologies Limited ("Sasken") unless sent with that express intent and with due authority of Sasken. Sasken has taken enough precautions to prevent the spread of viruses. However the company accepts no liability for any damage caused by any virus transmitted by this email.

***********************************************************************


More information about the Snort-users mailing list