From turnere@MimeStar.com Tue May 2 12:06:36 2000 Return-Path: Received: from FTP.MimeStar.com(MAX-01-PORT-040.RAD.PICUSNET.COM[209.100.21.72]) (26955 bytes) by packetstorm.securify.com via smail with P:esmtp/D:user/T:local (sender: ) id for ; Tue, 2 May 2000 12:06:11 -0700 (PDT) (Smail-3.2.0.111 2000-Feb-17 #9 built 2000-Apr-13) Received: from localhost (turnere@localhost) by FTP.MimeStar.com (8.9.3/8.9.3) with ESMTP id PAA09116; Wed, 3 May 2000 15:03:07 -0400 X-Authentication-Warning: FTP.MimeStar.com: turnere owned process doing -bs Date: Wed, 3 May 2000 15:03:06 -0400 (EDT) From: turnere To: bugtraq@securityfocus.com, vuln-dev@securityfocus.com, INDICENTS@securityfocus.com, auscert@auscert.org.au, cert@cert.org, ciac@llnl.gov, submissions@packetstorm.securify.com, linux-security@redhat.com Subject: Detecting and Decoding "mstream" Activity Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Status: RO Content-Length: 26081 Lines: 1026 -------------------------------------- Detecting and Decoding MStream Traffic -------------------------------------- May 03, 2000 Copyright (C) 2000, Elliot Turner, MimeStar, Inc. All rights reserved. Recently a distributed denial of service (DDoS) attack tool known as "mstream" has surfaced inside the cracker and security communities. This tool allows malicious individuals to perform denial of service attacks against target hosts in a large-scale fashion, using a number of centrally controlled attacker agents. Source code for the "mstream" DDoS tool was posted to both the vuln-dev and BUGTRAQ mailing lists on April 29, 2000. A detailed analysis of the "mstream" tool was posted to both the vuln-dev and BUGTRAQ mailing lists on May 01, 2000. In response to the surfacing of this attack tool and the published analysis of its inner workings, we have developed a set of SNP-L scripts and attack signatures which allow one to detect and decode "mstream" network activity. Many thanks go out to the following individuals, for their work in developing the analysis of the "mstream" tool and its workings: David Dittrich George Weaver Sven Dietrich Neil Long The "mstream" analysis provides detailed information regarding the workings of this DDoS tool, and is a highly suggested read. Using the attack signature modules and SNP-L scripts included in this write-up, one can detect and decode "mstream" network activity. Decoding of the following transmissions is supported: Attacker <-> Handler TCP Control Connections Handler -> Agent UDP Control Messages Agent -> Handler UDP Control Messages These modules and scripts are designed to detect "mstream" activity for the following variations of this tool: "in the wild" (referenced in the "mstream" analysis) published source recovered source It should be understood that since the source code to the "mstream" DDoS tool has been made publicly available it is possible for one to be sufficiently change the tool to evade detection by the included modules and scripts. The modules and scripts included in this write-up are designed for use with the SecureNet PRO Network Monitoring and Intrusion Detection Platform. This is a commercial intrusion detection package. However, a version of SecureNet PRO is freely available for download from MicroNetics, Inc. (http://www.MicroNetics.net) Additional information on the SecureNet PRO Network Monitoring and Intrusion Detection Platform is available at (http://www.MimeStar.com). The scripts and modules included with this write-up attempt to intelligently parse "mstream" network transmission. This is done to reduce the potential for both false positives and false negatives. These modules may be easily modified to detect "mstream" traffic on different port combinations or variations of the content of actual transmissions. ------------------------------ MStream Attack Signatures List ------------------------------ - Decoder Modules 1. MSTREAM Attacker->Handler TCP Decoder 2. MSTREAM Agent->Handler UDP Decoder 3. MSTREAM Handler->Agent UDP Decoder - Agent->Handler Modules 4. MSTREAM Agent->Handler [NewServer] Command 5. MSTREAM Agent->Handler [Pong] Command - Handler->Agent Modules 6. MSTREAM Handler->Agent [Ping] Command 7. MSTREAM Handler->Agent [Stream] Command 8. MSTREAM Handler->Agent [MStream] Command - Attacker->Handler Modules 9. MSTREAM Attacker->Handler [Connection] 10. MSTREAM Attacker->Handler [Password] 11. MSTREAM Attacker->Handler [Who] Command 12. MSTREAM Attacker->Handler [Help] Command 13. MSTREAM Attacker->Handler [Ping] Command 14. MSTREAM Attacker->Handler [Quit] Command 15. MSTREAM Attacker->Handler [Stream] Command 16. MSTREAM Attacker->Handler [MStream] Command 17. MSTREAM Attacker->Handler [Servers] Command - Handler->Attacker Modules 18. MSTREAM Handler->Attacker [Streaming] Notify 19. MSTREAM Handler->Attacker [MStreaming] Notify 20. MSTREAM Handler->Attacker [New Server] Notify 21. MSTREAM Handler->Attacker [Connection From] Notify 22. MSTREAM Handler->Attacker [Online List] 23. MSTREAM Handler->Attacker [Commands List] 24. MSTREAM Handler->Attacker [Pinging Agents] Notify 25. MSTREAM Handler->Attacker [Lost Connection] Notify 26. MSTREAM Handler->Attacker [Invalid Password] Notify 27. MSTREAM Handler->Attacker [Valid Password] Notify 28. MSTREAM Handler->Attacker [Agent List] 29. MSTREAM Handler->Attacker [User Disconnected] Notify -------------------------------- MStream Attack Signature Modules -------------------------------- These modules serve a dual purpose: hooks between the SecureNet PRO System and SNP-L Network Activity Decoder Scripts and event triggers which allow one to be notified of "mstream" activity. ------------ MSTREAM_Decoder.db snip ------------ --Module-Begin-- Name: MSTREAM Attacker->Handler TCP Decoder Group: Miscellaneous Active-Flag: 1 Priority: 3 Input-Source: 0 Dest-Port: 6723, 15104, 12754 Analysis-Script: gotMStreamAttackerToHandlerConnection Action: 4 ---Module-End--- --Module-Begin-- Name: MSTREAM Agent->Handler UDP Decoder Group: Miscellaneous Active-Flag: 1 Priority: 3 Input-Source: 2 Dest-Port: 9325, 6838 Analysis-Script: gotMStreamAgentToHandlerData Action: 4 ---Module-End--- --Module-Begin-- Name: MSTREAM Handler->Agent UDP Decoder Group: Miscellaneous Active-Flag: 1 Priority: 3 Input-Source: 2 Dest-Port: 7983, 10498 Analysis-Script: gotMStreamHandlerToAgentData Action: 4 ---Module-End--- --Module-Begin-- Name: MSTREAM Agent->Handler [NewServer] Command Group: Miscellaneous Active-Flag: 1 Priority: 3 Input-Source: 12 Log-Message: Mstream Agent->Handler [NewServer] Command from ~SRCIP Action: 4 ---Module-End--- --Module-Begin-- Name: MSTREAM Agent->Handler [Pong] Command Group: Miscellaneous Active-Flag: 1 Priority: 3 Input-Source: 12 Log-Message: Mstream Agent->Handler [Pong] Command from ~SRCIP Action: 4 ---Module-End--- --Module-Begin-- Name: MSTREAM Handler->Agent [Ping] Command Group: Miscellaneous Active-Flag: 1 Priority: 3 Input-Source: 12 Log-Message: Mstream Handler->Agent [Ping] Command from ~SRCIP Action: 4 ---Module-End--- --Module-Begin-- Name: MSTREAM Handler->Agent [Stream] Command Group: Miscellaneous Active-Flag: 1 Priority: 3 Input-Source: 12 Log-Message: Mstream Handler->Agent [Stream: ~ARGDATA0, ~ARGDATA1] Command from ~SRCIP Action: 4 ---Module-End--- --Module-Begin-- Name: MSTREAM Handler->Agent [MStream] Command Group: Miscellaneous Active-Flag: 1 Priority: 3 Input-Source: 12 Log-Message: Mstream Handler->Agent [MStream: ~ARGDATA0, ~ARGDATA1] Command from ~SRCIP Action: 4 ---Module-End--- --Module-Begin-- Name: MSTREAM [Attacker->Handler] Connection Group: Miscellaneous Active-Flag: 1 Priority: 3 Input-Source: 12 Log-Message: Mstream Attacker->Handler Connection from ~SRCIP Action: 4 ---Module-End--- --Module-Begin-- Name: MSTREAM Attacker->Handler [Password] Group: Miscellaneous Active-Flag: 1 Priority: 3 Input-Source: 12 Log-Message: Mstream Attacker->Handler Password [~ARGDATA0] from ~SRCIP Action: 4 ---Module-End--- --Module-Begin-- Name: MSTREAM Attacker->Handler [Who] Command Group: Miscellaneous Active-Flag: 1 Priority: 3 Input-Source: 12 Log-Message: Mstream Attacker->Handler [Who] Command from ~SRCIP Action: 4 ---Module-End--- --Module-Begin-- Name: MSTREAM Attacker->Handler [Help] Command Group: Miscellaneous Active-Flag: 1 Priority: 3 Input-Source: 12 Log-Message: Mstream Attacker->Handler [Help] Command from ~SRCIP Action: 4 ---Module-End--- --Module-Begin-- Name: MSTREAM Attacker->Handler [Ping] Command Group: Miscellaneous Active-Flag: 1 Priority: 3 Input-Source: 12 Log-Message: Mstream Attacker->Handler [Ping] Command from ~SRCIP Action: 4 ---Module-End--- --Module-Begin-- Name: MSTREAM Attacker->Handler [Quit] Command Group: Miscellaneous Active-Flag: 1 Priority: 3 Input-Source: 12 Log-Message: Mstream Attacker->Handler [Quit] Command from ~SRCIP Action: 4 ---Module-End--- --Module-Begin-- Name: MSTREAM Attacker->Handler [Stream] Command Group: Miscellaneous Active-Flag: 1 Priority: 3 Input-Source: 12 Log-Message: Mstream Attacker->Handler [Stream: ~ARGDATA0] from ~SRCIP Action: 4 ---Module-End--- --Module-Begin-- Name: MSTREAM Attacker->Handler [MStream] Command Group: Miscellaneous Active-Flag: 1 Priority: 3 Input-Source: 12 Log-Message: Mstream Attacker->Handler [MStream: ~ARGDATA0] from ~SRCIP Action: 4 ---Module-End--- --Module-Begin-- Name: MSTREAM Attacker->Handler [Servers] Command Group: Miscellaneous Active-Flag: 1 Priority: 3 Input-Source: 12 Log-Message: Mstream Attacker->Handler [Servers] Command from ~SRCIP Action: 4 ---Module-End--- --Module-Begin-- Name: MSTREAM Handler->Attacker [Streaming] Notify Group: Miscellaneous Active-Flag: 1 Priority: 3 Input-Source: 12 Log-Message: Mstream Handler->Attacker [Streaming: ~ARGDATA0, ~ARGDATA1] from ~SRCIP Action: 4 ---Module-End--- --Module-Begin-- Name: MSTREAM Handler->Attacker [MStreaming] Notify Group: Miscellaneous Active-Flag: 1 Priority: 3 Input-Source: 12 Log-Message: Mstream Handler->Attacker [MStreaming: ~ARGDATA0, ~ARGDATA1] from ~SRCIP Action: 4 ---Module-End--- --Module-Begin-- Name: MSTREAM Handler->Attacker [New Server] Notify Group: Miscellaneous Active-Flag: 1 Priority: 3 Input-Source: 12 Log-Message: Mstream Handler->Attacker [New Server] Notify from ~SRCIP Action: 4 ---Module-End--- --Module-Begin-- Name: MSTREAM Handler->Attacker [Connection From] Notify Group: Miscellaneous Active-Flag: 1 Priority: 3 Input-Source: 12 Log-Message: Mstream Handler->Attacker [Connection From: ~ARGDATA0] Notify from ~SRCIP Action: 4 ---Module-End--- --Module-Begin-- Name: MSTREAM Handler->Attacker [User Disconnected] Notify Group: Miscellaneous Active-Flag: 1 Priority: 3 Input-Source: 12 Log-Message: Mstream Handler->Attacker [User Disconnected From: ~ARGDATA0] Notify from ~SRCIP Action: 4 ---Module-End--- --Module-Begin-- Name: MSTREAM Handler->Attacker [Agent List] Group: Miscellaneous Active-Flag: 1 Priority: 3 Input-Source: 12 Log-Message: Mstream Handler->Attacker [Agent List] from ~SRCIP Action: 4 ---Module-End--- --Module-Begin-- Name: MSTREAM Handler->Attacker [Online List] Group: Miscellaneous Active-Flag: 1 Priority: 3 Input-Source: 12 Log-Message: Mstream Handler->Attacker [Online List] from ~SRCIP Action: 4 ---Module-End--- --Module-Begin-- Name: MSTREAM Handler->Attacker [Commands List] Group: Miscellaneous Active-Flag: 1 Priority: 3 Input-Source: 12 Log-Message: Mstream Handler->Attacker [Commands List] from ~SRCIP Action: 4 ---Module-End--- --Module-Begin-- Name: MSTREAM Handler->Attacker [Pinging Agents] Notify Group: Miscellaneous Active-Flag: 1 Priority: 3 Input-Source: 12 Log-Message: Mstream Handler->Attacker [Pinging Agents] Notify from ~SRCIP Action: 4 ---Module-End--- --Module-Begin-- Name: MSTREAM Handler->Attacker [Lost Connection] Notify Group: Miscellaneous Active-Flag: 1 Priority: 3 Input-Source: 12 Log-Message: Mstream Handler->Attacker [Lost Connection from: ~ARGDATA0] Notify from ~SRCIP Action: 4 ---Module-End--- --Module-Begin-- Name: MSTREAM Handler->Attacker [Invalid Password] Notify Group: Miscellaneous Active-Flag: 1 Priority: 3 Input-Source: 12 Log-Message: Mstream Handler->Attacker [Invalid Password from: ~ARGDATA0] Notify from ~SRCIP Action: 4 ---Module-End--- --Module-Begin-- Name: MSTREAM Handler->Attacker [Valid Password] Notify Group: Miscellaneous Active-Flag: 1 Priority: 3 Input-Source: 12 Log-Message: Mstream Handler->Attacker [Valid Password from: ~ARGDATA0] Notify from ~SRCIP Action: 4 ---Module-End--- ------------ MSTREAM_Decoder.db snip ------------ ---------------------------------------------- MStream SNP-L Network Activity Decoder Scripts ---------------------------------------------- These scripts perform actual "mstream" network activity decoding, parsing both UDP and TCP transmissions. They are written in the SNP-L scripting language. SNP-L is a highly integrated attack detection language which allows one to decode various types of network transmissions on a high level, without regard for host packet capture mechanisms, IP fragment reconstruction, and TCP session reassembly. ------------ mstream_tcp.l snip ------------ /* MStream TCP Decoder SNP-L Script * */ /* Utility Function: Checks whether this connection has been flagged as a * MStream connection yet. If not, a module is triggered * and the flag is set. * * Checks whether the previously entered password has * been logged. If not, a module is triggered and the * password flag is set accordingly. */ int16 checkConnectionFlagged { u_char (connection) *attackerPassword; int16 (connection) attackerPasswordFlag; int16 (connection) mstreamConnectionFlag; /* log this mstream control connection if we havn't already */ if (mstreamConnectionFlag == 0) { mstreamConnectionFlag = 1; module_trigger("MSTREAM [Attacker->Handler] Connection"); } /* log the attacker's password if we havn't already */ if (attackerPasswordFlag == 1) { attackerPasswordFlag = 2; action_set_logarg(&attackerPassword, ptrlen(&attackerPassword), 0); module_trigger("MSTREAM Attacker->Handler [Password]"); } } /* MStream Attacker->Handler Command Line Decoder * */ int16 processMStreamAttackerToHandlerLine(u_char *lineData) { u_char (connection) *attackerPassword; int16 (connection) attackerPasswordFlag; int32 dataLen; u_char *ipStr; dataLen = ptrlen(&lineData); /* save this string as a password if this is the first * line of data from attacker->handler */ if (attackerPasswordFlag == 0) { attackerPasswordFlag = 1; memcpy_realloc(&attackerPassword, &lineData, dataLen); return(0); } if (dataLen == 3) { if (strncmp(&lineData, "who", 3) == 0) { checkConnectionFlagged(); module_trigger( "MSTREAM Attacker->Handler [Who] Command"); } } else if (dataLen == 4) { if (strncmp(&lineData, "help", 3) == 0) { checkConnectionFlagged(); module_trigger( "MSTREAM Attacker->Handler [Help] Command"); } else if (strncmp(&lineData, "quit", 4) == 0) { checkConnectionFlagged(); module_trigger( "MSTREAM Attacker->Handler [Quit] Command"); } else if (strncmp(&lineData, "ping", 4) == 0) { checkConnectionFlagged(); module_trigger( "MSTREAM Attacker->Handler [Ping] Command"); } } else if (dataLen >= 6) { if (strncmp(&lineData, "stream", 6) == 0) { checkConnectionFlagged(); action_set_logarg(&lineData + 7, dataLen - 7, 0); module_trigger( "MSTREAM Attacker->Handler [Stream] Command"); } else if (dataLen >= 7) { if (strncmp(&lineData, "mstream", 7) == 0) { checkConnectionFlagged(); action_set_logarg(&lineData + 8, dataLen - 8, 0); module_trigger( "MSTREAM Attacker->Handler [MStream] Command"); } else if (strncmp(&lineData, "servers", 7) == 0) { checkConnectionFlagged(); module_trigger( "MSTREAM Attacker->Handler [Servers] Command"); } } } return(0); } /* MStream Handler->Attacker Command Line Decoder * */ int16 processMStreamHandlerToAttackerLine(u_char *lineData) { int32 dataLen; int32 offset; int32 oldOffset; u_char *ipStr; dataLen = ptrlen(&lineData); /* Parse out any '> ' data on leading lines, to allow for * proper extraction of handler output. */ if (dataLen >= 2) { if (strncmp(&lineData, "> ", 2) == 0) { checkConnectionFlagged(); memcpy_realloc(&lineData, &lineData + 2, dataLen - 2); dataLen = dataLen - 2; } } if (dataLen >= 10) { if (strncmp(&lineData, "Streaming ", 10) == 0) { offset = memmatchin(&lineData + 10, " for "); if (offset < 0) return(0); memcpy_realloc(&ipStr, &lineData + 10, offset); action_set_logarg(&ipStr, ptrlen(&ipStr), 0); oldOffset = offset + 10 + 5; offset = memmatchin(&lineData + oldOffset, " seconds."); if (offset < 0) return(0); memcpy_realloc(&ipStr, &lineData + oldOffset, offset); action_set_logarg(&ipStr, ptrlen(&ipStr), 1); checkConnectionFlagged(); module_trigger( "MSTREAM Handler->Attacker [Streaming] Notify"); return(0); } offset = memmatchin(&lineData, "has discon"); if (offset >= 0) { checkConnectionFlagged(); memcpy_realloc(&ipStr, &lineData, offset); action_set_logarg(&ipStr, ptrlen(&ipStr), 0); module_trigger( "MSTREAM Handler->Attacker [User Disconnected] Notify"); } } if (dataLen >= 11) { if (strncmp(&lineData, "MStreaming ", 11) == 0) { offset = memmatchin(&lineData + 11, " for "); if (offset < 0) return(0); memcpy_realloc(&ipStr, &lineData + 11, offset); action_set_logarg(&ipStr, ptrlen(&ipStr), 0); oldOffset = offset + 11 + 5; offset = memmatchin(&lineData + oldOffset, " seconds."); if (offset < 0) return(0); memcpy_realloc(&ipStr, &lineData + oldOffset, offset); action_set_logarg(&ipStr, ptrlen(&ipStr), 1); checkConnectionFlagged(); module_trigger( "MSTREAM Handler->Attacker [MStreaming] Notify"); return(0); } } if (dataLen >= 15) { if (strncmp(&lineData, "New server on ", 14) == 0) { checkConnectionFlagged(); memcpy_realloc(&ipStr, &lineData + 14, dataLen - 15); action_set_logarg(&ipStr, ptrlen(&ipStr), 0); module_trigger( "MSTREAM Handler->Attacker [New Server] Notify"); return(0); } } if (dataLen >= 16) { if (strncmp(&lineData, "Connection from ", 16) == 0) { checkConnectionFlagged(); memcpy_realloc(&ipStr, &lineData + 16, dataLen - 16); action_set_logarg(&ipStr, ptrlen(&ipStr), 0); module_trigger( "MSTREAM Handler->Attacker [Connection From] Notify"); return(0); } } if (dataLen >= 17) { if (strncmp(&lineData, "Currently Online:", 17) == 0) { checkConnectionFlagged(); module_trigger( "MSTREAM Handler->Attacker [Online List]"); return(0); } } if (dataLen >= 19) { if (strncmp(&lineData, "Available commands:", 19) == 0) { checkConnectionFlagged(); module_trigger( "MSTREAM Handler->Attacker [Commands List]"); return(0); } } if (dataLen >= 20) { if (strncmp(&lineData, "Pinging all servers.", 20) == 0) { checkConnectionFlagged(); module_trigger( "MSTREAM Handler->Attacker [Pinging Agents] Notify"); return(0); } } if (dataLen >= 21) { if (strncmp(&lineData, "Lost connection to ", 19) == 0) { checkConnectionFlagged(); memcpy_realloc(&ipStr, &lineData + 19, dataLen - 19); action_set_logarg(&ipStr, ptrlen(&ipStr), 0); module_trigger( "MSTREAM Handler->Attacker [Lost Connection] Notify"); return(0); } } if (dataLen >= 23) { if (strncmp(&lineData, "Invalid password from ", 22) == 0) { checkConnectionFlagged(); memcpy_realloc(&ipStr, &lineData + 22, dataLen - 23); action_set_logarg(&ipStr, ptrlen(&ipStr), 0); module_trigger( "MSTREAM Handler->Attacker [Invalid Password] Notify"); return(0); } } if (dataLen >= 27) { if (strncmp(&lineData, "The following ips are known", 27) == 0) { checkConnectionFlagged(); module_trigger( "MSTREAM Handler->Attacker [Agent List]"); } } if (dataLen >= 39) { if (strncmp(&lineData, "Password accepted for connection from ", 38) == 0) { checkConnectionFlagged(); memcpy_realloc(&ipStr, &lineData + 38, dataLen - 39); action_set_logarg(&ipStr, ptrlen(&ipStr), 0); module_trigger( "MSTREAM Handler->Attacker [Valid Password] Notify"); return(0); } } return(0); } /* MStream Generic Line Parser * */ int16 handleMStreamTCPData(u_char *sessionData, u_char *inData, int16 *connSide) { u_char *lineData; int16 lineFlag; int32 offset; memcat_realloc(&sessionData, &inData); lineFlag = 1; while (lineFlag == 1) { lineFlag = 0; if (ptrlen(&sessionData) > 0) { offset = memmatchin(&sessionData, "\n"); } else { offset = -1; } if (offset > 0) { if (sessionData[offset - 1] == '\r') { /* strip \r\n */ memcpy_realloc(&lineData, &sessionData, offset - 1); } else { /* strip \n */ memcpy_realloc(&lineData, &sessionData, offset); } if (ptrlen(&lineData) > 0) { /* if it is attacker->handler */ if (connSide[0] == 0) { processMStreamAttackerToHandlerLine( &lineData); } /* else it's handler->attacker data */ else { processMStreamHandlerToAttackerLine( &lineData); } } } /* remove processed line from buffer if necessary */ if (offset >= 0) { lineFlag = 1; memcpy_realloc(&sessionData, &sessionData + (offset + 1), ptrlen(&sessionData) - (offset + 1)); } } /* large strings with no linefeed are truncated to '~' */ if (ptrlen(&sessionData) > 2000) { memcpy_realloc(&sessionData, "~", 1); } } /* MStream Attacker->Handler TCP Connection Handler * */ int16 gotMStreamAttackerToHandlerConnection(char *inData, int16 *connSide) { u_char (connection) *clientSessionData; u_char (connection) *serverSessionData; /* if this is attacker->handler data */ if (connSide[0] == 0) { handleMStreamTCPData(&clientSessionData, (u_char *)&inData, &connSide); } /* if this is handler->attacker data */ else { handleMStreamTCPData(&serverSessionData, (u_char *)&inData, &connSide); } } /* Public declarations for hooking into the SecureNet PRO IDS System * */ public gotMStreamAttackerToHandlerConnection; passer gotMStreamAttackerToHandlerConnection(stream_data, tcp_connside); /* EOF */ ------------ mstream_tcp.l snip ------------ ------------ mstream_udp.l snip ------------ /* MStream UDP Decoder SNP-L Script */ /* MStream [Agent -> Handler] UDP Decoder * */ int16 gotMStreamAgentToHandlerData(u_char *inData) { int32 dataLen; dataLen = ptrlen(&inData); if (dataLen == 9) { /* check for the newserver command */ if (strncmp(&inData, "newserver", 9) == 0) { module_trigger( "MSTREAM Agent->Handler [NewServer] Command"); } } else if (dataLen == 4) { /* check for the pong command */ if (strncmp(&inData, "pong", 4) == 0) { module_trigger( "MSTREAM Agent->Handler [Pong] Command"); } } } /* Utility Function: Extracts IP and Number of Seconds from [Stream] * and [MStream] attack commands * */ int16 extractIPandSeconds(u_char *inData, u_char *ipData, u_char *secData) { int32 slashOffset; slashOffset = memmatchin(&inData, "/"); if (slashOffset < 0) { return(-1); } memcpy_realloc(&ipData, &inData, slashOffset); memcpy_realloc(&secData, &inData + slashOffset + 1, ptrlen(&inData) - slashOffset - 1); return(1); } /* MStream [Handler -> Agent] UDP Decoder * */ int16 gotMStreamHandlerToAgentData(u_char *inData) { u_char *extractIP; u_char *extractSecs; int32 dataLen; dataLen = ptrlen(&inData); if (dataLen == 4) { /* check for the ping command */ if (strncmp(&inData, "ping", 4) == 0) { module_trigger( "MSTREAM Handler->Agent [Ping] Command"); } } else if (dataLen >= 7) { /* check for a 'stream' attack command */ if (strncmp(&inData, "stream/", 7) == 0) { if (extractIPandSeconds(&inData + 7, &extractIP, &extractSecs) < 1) { return(0); } action_set_logarg(&extractIP, ptrlen(&extractIP), 0); action_set_logarg(&extractSecs, ptrlen(&extractSecs), 1); module_trigger( "MSTREAM Handler->Agent [Stream] Command"); } /* check for a 'mstream' attack command */ else if (dataLen >= 8) { if (strncmp(&inData, "mstream/", 8) == 0) { if (extractIPandSeconds(&inData + 8, &extractIP, &extractSecs) < 1) { return(0); } action_set_logarg(&extractIP, ptrlen(&extractIP), 0); action_set_logarg(&extractSecs, ptrlen(&extractSecs), 1); module_trigger( "MSTREAM Handler->Agent [MStream] Command"); } } } } /* Public declarations for hooking into the SecureNet PRO IDS System * */ public gotMStreamHandlerToAgentData; passer gotMStreamHandlerToAgentData(udp_payload); public gotMStreamAgentToHandlerData; passer gotMStreamAgentToHandlerData(udp_payload); /* EOF */ ------------ mstream_udp.l snip ------------ Any comments or questions on these "mstream" decoder modules and scripts may be sent to the following electronic mail address: Elliot Turner