Hosting Provided By

Intrusion reaction application

From: Fred Durst <lolowerd(at)hotmail.com>
Date: Wed Apr 16 2003 - 07:54:37 EDT

('binary' encoding is not supported, stored as-is)

Hello World !
I'm working on a IDS reaction application and I am meeting some problems making an effective tcp packets sending function. I use libpcap, libnet 1.1 and snort.
I tested my program (that you can see in the end of this mail) on a script that executes an infinite loop of rlogins, mount, rpcinfo on a distant machine. In fact, I want to be able to send tcp reset packets so that my script is blocked (not stopped but you can see "Connection reset by peer") I could see that my program works only for the rlogins (I can see "Connection reset by peer" only when the scripts tries the rlogins). Furthermore, only speaking of the rlogins, it works only 90 % of time and I really don't know why it doesn't work the rest of the time. I could also see that with Couic
(http://michel.arboi.free.fr/UKUSA/couic.html) it worked very well, my script is blocked at each command (not only with the rlogins) by the tcp reset packets, and it works at each time. I tried to update couic in order to make it work with libnet 1.1 but there are some differences and I've not been able to make it yet. I modified my code in order to make it similar to couic but it still doesn't work.

Here is some parts of my code (I only put the interesting parts concerning my problem)

case 6: /* This is were I decide to send TPC Reset packets */

	for (d=0;d

break;


and at last, here is the code of my TCPRST function :
I don't know if it is better to use LIBNET_LINK (with 
libnet_build_ethernet) as it is done in my code or LIBNET_RAW4 mode (and 
not use libnet_build_ethernet)

//Tcp reset function ****************************************** 
 

static int TCPRST(u_long saddr, u_long daddr, u_short sport, u_short  
dport, int t_seq, int t_ack) 


{ 


  int c; 


  libnet_t *l; 


  libnet_ptag_t ip_tag, tcp_tag,eth_tag; 
   

  fprintf(stderr, "seq : %x, ack : %x ", t_seq, t_ack); 
   

  l = libnet_init(LIBNET_LINK,dev,errlbuf); 
 

  if (l == NULL) 


  { 
	  fprintf(stderr, "libnet_init failed: %s\n", errlbuf); 
       	  exit(EXIT_FAILURE); 


  } 
   

  tcp_tag = libnet_build_tcp(sport,dport,t_seq,t_ack,0x14,5555,0, 
Do you need help? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related securityfocus.com Links
bugtraq
certification
focus-bsd
focus-ids
focus-ih
focus-linux
focus-ms
focus-sun
focus-unix-other
focus-virus
forensics
incidents
libnet
linux-secnews
ms-secnews
pen-test
secpapers
secprog
sectools
secureshell
security-basics
securityjobs
sf-news
vuln-dev
webappsec
Request more information about Pantek

                               0,LIBNET_TCP_H,NULL,0,l,0); 


  if (tcp_tag == -1) 


  { 

          fprintf(stderr,"libnet_build_tcp failed: %s\n", libnet_geterror
(l)); 

          goto bad; 


  } 
 

  //fprintf(stderr,"build_tcp ok\n"); 
   

  ip_tag = libnet_build_ipv4(LIBNET_IPV4_H + LIBNET_TCP_H,
                             0xF4/*IPTOS_LOWDELAY*/, 
		             rand() & 0xFFFF,
                             0,64,IPPROTO_TCP,0,saddr,daddr,NULL,0,l,0); 
Do you need more help? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related securityfocus.com Links
bugtraq
certification
focus-bsd
focus-ids
focus-ih
focus-linux
focus-ms
focus-sun
focus-unix-other
focus-virus
forensics
incidents
libnet
linux-secnews
ms-secnews
pen-test
secpapers
secprog
sectools
secureshell
security-basics
securityjobs
sf-news
vuln-dev
webappsec
Request more information about Pantek
 

  if (ip_tag == -1) 


  { 

          fprintf(stderr,"libnet_build_ipv4 failed: %s\n", 
libnet_geterror(l)); 

          goto bad; 


  } 
   
Can we help you? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related securityfocus.com Links
bugtraq
certification
focus-bsd
focus-ids
focus-ih
focus-linux
focus-ms
focus-sun
focus-unix-other
focus-virus
forensics
incidents
libnet
linux-secnews
ms-secnews
pen-test
secpapers
secprog
sectools
secureshell
security-basics
securityjobs
sf-news
vuln-dev
webappsec
Request more information about Pantek

  //fprintf(stderr,"build_ipv4 ok\n"); 
   

  eth_tag = 


libnet_build_ethernet(ether_dest,ether_src,htons(t),NULL,0,l,0); 
 

  if (eth_tag == -1) 


  { 

          fprintf(stderr,"libnet_build_ethernet failed: %s\n", 
libnet_geterror(l)); 

          goto bad; 


  } 
   

  //fprintf(stderr,"build_ethernet ok\n"); 
 

  c = libnet_write(l); 
   

  if (c == -1)  


  { 
	  fprintf(stderr,"libnet_write failed: %s\n",libnet_geterror(l)); 
	  goto bad; 


  } 


  else  fprintf(stderr,"Wrote %d byte(s) TCP packet; check the 
wire.\n",c); 
   
Can't find what you're looking for? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related securityfocus.com Links
bugtraq
certification
focus-bsd
focus-ids
focus-ih
focus-linux
focus-ms
focus-sun
focus-unix-other
focus-virus
forensics
incidents
libnet
linux-secnews
ms-secnews
pen-test
secpapers
secprog
sectools
secureshell
security-basics
securityjobs
sf-news
vuln-dev
webappsec
Request more information about Pantek

  libnet_destroy(l); 


  return (EXIT_SUCCESS); 


bad: 


  libnet_destroy(l); 


  return(EXIT_FAILURE); 
 

} 


THANKS IN ADVANCE, at least for reading until here.



To unsubscribe, e-mail: libnet-unsubscribe@securityfocus.com
For additional commands, e-mail: libnet-help@securityfocus.com
Received on Wed Apr 16 08:16:24 2003

This message: [ Message body ]
Next message: Andrew R. Reiter: "libnet performance [was Re: Intrusion reaction application]"
Previous message: embyte: "Nast 0.1.7 released"
Next in thread: Andrew R. Reiter: "libnet performance [was Re: Intrusion reaction application]"
Reply: Andrew R. Reiter: "libnet performance [was Re: Intrusion reaction application]"
Reply: private static void: "Re: Intrusion reaction application"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:02:23 EDT