[Snort-users] attack simulation

--=_IS_MIME_Boundary
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

hello all,
i was trying to simulate security attacks with the help of
CASL. But i am not able to simulate attacks that requires a tcp
connection establishment.Below i have given the program that i tried
with. the snort rule i used is SID 607
the rule is
alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"RSERVICES rsh bin";
flow:to_server,established; content: "bin|00|bin|00|";
reference:arachnids,390; classtype:attempted-user; sid:607; rev:4;)

snort is not recognizing this attack.

i blocked the reset packets from going out with the help of iptables.

does anybody have a clue about why snort,being a wire sniffer, not
identifying this attack?

Thanks
Bini

#include "tcpip.casl"
#include "packets.casl"

define buf{}

buff="bin";
buffer= new buf;
buffer[0]=0x00;

external_net = 1.2.3.2;
home_net = 1.2.3.1;

ourtcp=copy TCP;
ourtcp.tcp_source=21;
ourtcp.tcp_destination=514;
ourtcp.tcp_syn=1;

ourip=copy TCPIP;
ourip.ip_source = external_net;
ourip.ip_destination = home_net;

ourpacket = [ourip,ourtcp];

ip_output(ourpacket);

ourfilter=["src host ", home_net, " and tcp src port ", 514];

readpacket=ip_input(2000,ourfilter);

if(readpacket==0)
print("no server");

if(size(readpacket)< size(IP)+ size(TCP))
print("size is not matching");

readip = extract ip from readpacket;
readtcp = extract tcp from readpacket;

if(readtcp.tcp_ack!=1 || readtcp.tcp_syn!=1 || readtcp.tcp_rst==1)
print("connection not accepted");

ourtcp.tcp_ack=1;
ourtcp.tcp_ackno=readtcp.tcp_seqno+1;
ourackpacket=[ourip,ourtcp,buff,buffer,buff,buffer];

ip_output(ourackpacket);

--

--=_IS_MIME_Boundary
Content-Type: text/plain;charset=us-ascii
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

************************************************** *********************

PLEASE VISIT US AT STAND E13B, AT 3GSM WORLD CONGRESS 2004, CANNES.

************************************************** ******************

SASKEN BUSINESS DISCLAIMER

This message may contain confidential, proprietary or legally Privileged information. In case you are not the original intended Recipient of the message, you must not, directly or indirectly, use, Disclose, distribute, print, or copy any part of this message and you are requested to delete it and inform the sender. Any views expressed in this message are those of the individual sender unless otherwise stated. Nothing contained in this message shall be construed as an offer or acceptance of any offer by Sasken Communication Technologies Limited ("Sasken") unless sent with that express intent and with due authority of Sasken. Sasken has taken enough precautions to prevent the spread of viruses. However the company accepts no liability for any damage caused by any virus transmitted by this email.

************************************************** *********************

--=_IS_MIME_Boundary--


-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users