readme.txt

IPv4下发伪造包的程序

Snot V0.91 alpha by sniph00@yahoo.com
-------------------------------------

** If you are reading this on UNIX, run 'make unixify' to clean the dos chars **

Get the latest version of snot at http://www.geocities.com/sniph00


Introduction
------------

Snot is an arbitrary packet generator, that uses snort rules files as its source
of packet information. It attempts at all times to randomise information that is
not contained in the rule, to hamper the generation of 'snot detection' snort
rules.
It can be used as an IDS evasion tool, by using specific decoy hosts, or just
something to keep your friendly IDS monitoring staff busy.

Usage
-----

-r	The rules file that snot will read in.
-s	Source host. This may be just an ip address/mask, or a snort array of
	ip address/mask combinations.
-d	Destination host. Same as the source.
-i	(WIN32 Build) Select your interface, just an integer.. As libnetnt
	doesn't have any interface to the interface information. Start at 1
	and go up until it works.
-l	Delay. snot will pick a random number between 1 and delay and sleep
	between packets
-n	Number of Packets. How many packets total you want to send. If unset
	or 0 snot will run forever.

Examples
--------

snot -r snort.rules -s www.somerandomhost.org/24 -d somesnortuser.com -l 10

snot reads in the snort.rules file, sends packets with source addr from
anywhere on the /24 network that www.somerandomhost.org resolves to, and
sends them to somesnortuser.com, sleeping for up to 10 seconds per packet.

snot -r snort.rules -s [1.1.1.1,2.2.2.2,3.1.33.7] -d somesnortuser.com/28 -l 10

snot reads in the snort.rules file, sends packets from a random selection of
the addresses 1.1.1.1, 2.2.2.2, 3.1.33.7, and sends them to whatever
somesnortuser.com resolves to, masked with /28, sleeping for up to 10 seconds
per packet.

Limitations
-----------

snot requires libnet. On unix, get it from 
http://www.packetfactory.net/projects/libnet , and for the NT compile, get it
from http://www.eeye.com/html/Research/Tools/libnetnt.html .. winnt will also
require the packet driver from http://netgroup-serv.polito.it/winpcap/

snot currently doesnt handle any snort preprocessors or include files.. cat the 
snort rules file together yourself.

snot will read rules that are in reverse, ie $HOME_NET -> any, but the source
and destination addresses that are used on the command line are always placed
in the format SOURCE -> DEST.
Thus, rules in this response format will not trigger a remote snort alert.
Can't really fix this, apart from just not parsing the rules.

snot will expand variables in whatever order you fill them into the rules file. 
If a variable declaration appears later than its usage, then the rule using
the variable will fail to parse.

snot assumes your hex char content strings are written in 2 character bytes
from 00 - FF. If the hex component of your content string doesnt conform to
this, the rule will be ignored. For some reason there are rules propagating
that contain hex chars such as |00 b0 123 c0|, snot will not parse these -
(its called network byte ordering marty.. if you are going to be ambiguious,
at least document it).

snot is hardcoded to use ethernet, and MTU of 1500. Thus snort rules which
specify a dsize > 1500 will be ignored. I might fix this later at some stage.

snot win32 distribution comes with a patched libnetnt.dll, that works around
eeyes bugs in byte ordering and just outright crashing.

snot compiles nicely on both WIN32 and Unix, however only Intel byte ordering
has been tested.  Unix versions require you to have libnet installed, and you
may have to modify the libnet paths in the Makefile to get it to compile.

I didnt even read the new stuff marty has done to the rules format in 1.7, so
at the moment the only workaround for any new rules options is that snot will
ignore them. This will probably be fixed later.

On OpenBSD the ipoptions code fails with a EINVAL to libnet_write_ip.. will
have to look into this

On Unix you need to run this as root.

Fixes
-----
Most of the real yuk code has been fixed in this version.

Contact
-------
I'd like to receive feedback and/or patches for this tool. And if anyone wants
to give me a place to host this thing instead of geocities, that would be nice
too :)

You can email me at sniph00@yahoo.com.