LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Advisory Watch: October 31st, 2014
Linux Security Week: October 27th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Detecting and Decoding MStream Traffic Print E-mail
User Rating:      How can I rate this item?
Source: Elliot Turner, MimeStar, Inc. - Posted by LinuxSecurity.com Team   
Network Security Elliot Turner speaks about the recent "MStream" DDoS attack, and attack signatures he's explored to detect the presence of the vulnerability. "Using the attack signature modules and SNP-L scripts included in this write-up, one can detect and decode "mstream" network . . . Elliot Turner speaks about the recent "MStream" DDoS attack, and attack signatures he's explored to detect the presence of the vulnerability. "Using the attack signature modules and SNP-L scripts included in this write-up, one can detect and decode "mstream" network activity."
--------------------------------------
Detecting and Decoding MStream Traffic
--------------------------------------

May 03, 2000
Copyright (C) 2000, Elliot Turner, MimeStar, Inc. All rights reserved.

Recently a distributed denial of service (DDoS) attack tool known as "mstream"
has surfaced inside the cracker and security communities. This tool allows
malicious individuals to perform denial of service attacks against target hosts
in a large-scale fashion, using a number of centrally controlled attacker
agents.

Source code for the "mstream" DDoS tool was posted to both the vuln-dev and
BUGTRAQ mailing lists on April 29, 2000.

A detailed analysis of the "mstream" tool was posted to both the vuln-dev and
BUGTRAQ mailing lists on May 01, 2000.

In response to the surfacing of this attack tool and the published analysis
of its inner workings, we have developed a set of SNP-L scripts and attack
signatures which allow one to detect and decode "mstream" network activity.

Many thanks go out to the following individuals, for their work in developing
the analysis of the "mstream" tool and its workings:

David Dittrich
George Weaver
Sven Dietrich
Neil Long

The "mstream" analysis provides detailed information regarding the workings of
this DDoS tool, and is a highly suggested read.

Using the attack signature modules and SNP-L scripts included in this write-up,
one can detect and decode "mstream" network activity. Decoding of the following
transmissions is supported:

Attacker <-> Handler TCP Control Connections
Handler -> Agent UDP Control Messages
Agent -> Handler UDP Control Messages

These modules and scripts are designed to detect "mstream" activity for the
following variations of this tool:

"in the wild" (referenced in the "mstream" analysis)
published source
recovered source

It should be understood that since the source code to the "mstream" DDoS tool
has been made publicly available it is possible for one to be sufficiently
change the tool to evade detection by the included modules and scripts.

The modules and scripts included in this write-up are designed for use with
the SecureNet PRO Network Monitoring and Intrusion Detection Platform. This
is a commercial intrusion detection package. However, a version of SecureNet
PRO is freely available for download from MicroNetics, Inc.
(http://www.MicroNetics.net)

Additional information on the SecureNet PRO Network Monitoring and Intrusion
Detection Platform is available at (http://www.MimeStar.com).

The scripts and modules included with this write-up attempt to intelligently
parse "mstream" network transmission. This is done to reduce the potential
for both false positives and false negatives. These modules may be easily
modified to detect "mstream" traffic on different port combinations or
variations of the content of actual transmissions.


------------------------------
MStream Attack Signatures List
------------------------------

- Decoder Modules
1. MSTREAM Attacker->Handler TCP Decoder
2. MSTREAM Agent->Handler UDP Decoder
3. MSTREAM Handler->Agent UDP Decoder

- Agent->Handler Modules
4. MSTREAM Agent->Handler [NewServer] Command
5. MSTREAM Agent->Handler [Pong] Command

- Handler->Agent Modules
6. MSTREAM Handler->Agent [Ping] Command
7. MSTREAM Handler->Agent [Stream] Command
8. MSTREAM Handler->Agent [MStream] Command

- Attacker->Handler Modules
9. MSTREAM Attacker->Handler [Connection]
10. MSTREAM Attacker->Handler [Password]
11. MSTREAM Attacker->Handler [Who] Command
12. MSTREAM Attacker->Handler [Help] Command
13. MSTREAM Attacker->Handler [Ping] Command
14. MSTREAM Attacker->Handler [Quit] Command
15. MSTREAM Attacker->Handler [Stream] Command
16. MSTREAM Attacker->Handler [MStream] Command
17. MSTREAM Attacker->Handler [Servers] Command

- Handler->Attacker Modules
18. MSTREAM Handler->Attacker [Streaming] Notify
19. MSTREAM Handler->Attacker [MStreaming] Notify
20. MSTREAM Handler->Attacker [New Server] Notify
21. MSTREAM Handler->Attacker [Connection From] Notify
22. MSTREAM Handler->Attacker [Online List]
23. MSTREAM Handler->Attacker [Commands List]
24. MSTREAM Handler->Attacker [Pinging Agents] Notify
25. MSTREAM Handler->Attacker [Lost Connection] Notify
26. MSTREAM Handler->Attacker [Invalid Password] Notify
27. MSTREAM Handler->Attacker [Valid Password] Notify
28. MSTREAM Handler->Attacker [Agent List]
29. MSTREAM Handler->Attacker [User Disconnected] Notify


--------------------------------
MStream Attack Signature Modules
--------------------------------

These modules serve a dual purpose: hooks between the SecureNet PRO System and
SNP-L Network Activity Decoder Scripts and event triggers which allow one to
be notified of "mstream" activity.

------------ MSTREAM_Decoder.db snip ------------

--Module-Begin--
Name: MSTREAM Attacker->Handler TCP Decoder
Group: Miscellaneous
Active-Flag: 1
Priority: 3
Input-Source: 0
Dest-Port: 6723, 15104, 12754
Analysis-Script: gotMStreamAttackerToHandlerConnection
Action: 4
---Module-End---
--Module-Begin--
Name: MSTREAM Agent->Handler UDP Decoder
Group: Miscellaneous
Active-Flag: 1
Priority: 3
Input-Source: 2
Dest-Port: 9325, 6838
Analysis-Script: gotMStreamAgentToHandlerData
Action: 4
---Module-End---
--Module-Begin--
Name: MSTREAM Handler->Agent UDP Decoder
Group: Miscellaneous
Active-Flag: 1
Priority: 3
Input-Source: 2
Dest-Port: 7983, 10498
Analysis-Script: gotMStreamHandlerToAgentData
Action: 4
---Module-End---
--Module-Begin--
Name: MSTREAM Agent->Handler [NewServer] Command
Group: Miscellaneous
Active-Flag: 1
Priority: 3
Input-Source: 12
Log-Message: Mstream Agent->Handler [NewServer] Command from ~SRCIP
Action: 4
---Module-End---
--Module-Begin--
Name: MSTREAM Agent->Handler [Pong] Command
Group: Miscellaneous
Active-Flag: 1
Priority: 3
Input-Source: 12
Log-Message: Mstream Agent->Handler [Pong] Command from ~SRCIP
Action: 4
---Module-End---
--Module-Begin--
Name: MSTREAM Handler->Agent [Ping] Command
Group: Miscellaneous
Active-Flag: 1
Priority: 3
Input-Source: 12
Log-Message: Mstream Handler->Agent [Ping] Command from ~SRCIP
Action: 4
---Module-End---
--Module-Begin--
Name: MSTREAM Handler->Agent [Stream] Command
Group: Miscellaneous
Active-Flag: 1
Priority: 3
Input-Source: 12
Log-Message: Mstream Handler->Agent [Stream: ~ARGDATA0, ~ARGDATA1] Command from ~SRCIP
Action: 4
---Module-End---
--Module-Begin--
Name: MSTREAM Handler->Agent [MStream] Command
Group: Miscellaneous
Active-Flag: 1
Priority: 3
Input-Source: 12
Log-Message: Mstream Handler->Agent [MStream: ~ARGDATA0, ~ARGDATA1] Command from ~SRCIP
Action: 4
---Module-End---
--Module-Begin--
Name: MSTREAM [Attacker->Handler] Connection
Group: Miscellaneous
Active-Flag: 1
Priority: 3
Input-Source: 12
Log-Message: Mstream Attacker->Handler Connection from ~SRCIP
Action: 4
---Module-End---
--Module-Begin--
Name: MSTREAM Attacker->Handler [Password]
Group: Miscellaneous
Active-Flag: 1
Priority: 3
Input-Source: 12
Log-Message: Mstream Attacker->Handler Password [~ARGDATA0] from ~SRCIP
Action: 4
---Module-End---
--Module-Begin--
Name: MSTREAM Attacker->Handler [Who] Command
Group: Miscellaneous
Active-Flag: 1
Priority: 3
Input-Source: 12
Log-Message: Mstream Attacker->Handler [Who] Command from ~SRCIP
Action: 4
---Module-End---
--Module-Begin--
Name: MSTREAM Attacker->Handler [Help] Command
Group: Miscellaneous
Active-Flag: 1
Priority: 3
Input-Source: 12
Log-Message: Mstream Attacker->Handler [Help] Command from ~SRCIP
Action: 4
---Module-End---
--Module-Begin--
Name: MSTREAM Attacker->Handler [Ping] Command
Group: Miscellaneous
Active-Flag: 1
Priority: 3
Input-Source: 12
Log-Message: Mstream Attacker->Handler [Ping] Command from ~SRCIP
Action: 4
---Module-End---
--Module-Begin--
Name: MSTREAM Attacker->Handler [Quit] Command
Group: Miscellaneous
Active-Flag: 1
Priority: 3
Input-Source: 12
Log-Message: Mstream Attacker->Handler [Quit] Command from ~SRCIP
Action: 4
---Module-End---
--Module-Begin--
Name: MSTREAM Attacker->Handler [Stream] Command
Group: Miscellaneous
Active-Flag: 1
Priority: 3
Input-Source: 12
Log-Message: Mstream Attacker->Handler [Stream: ~ARGDATA0] from ~SRCIP
Action: 4
---Module-End---
--Module-Begin--
Name: MSTREAM Attacker->Handler [MStream] Command
Group: Miscellaneous
Active-Flag: 1
Priority: 3
Input-Source: 12
Log-Message: Mstream Attacker->Handler [MStream: ~ARGDATA0] from ~SRCIP
Action: 4
---Module-End---
--Module-Begin--
Name: MSTREAM Attacker->Handler [Servers] Command
Group: Miscellaneous
Active-Flag: 1
Priority: 3
Input-Source: 12
Log-Message: Mstream Attacker->Handler [Servers] Command from ~SRCIP
Action: 4
---Module-End---
--Module-Begin--
Name: MSTREAM Handler->Attacker [Streaming] Notify
Group: Miscellaneous
Active-Flag: 1
Priority: 3
Input-Source: 12
Log-Message: Mstream Handler->Attacker [Streaming: ~ARGDATA0, ~ARGDATA1] from ~SRCIP
Action: 4
---Module-End---
--Module-Begin--
Name: MSTREAM Handler->Attacker [MStreaming] Notify
Group: Miscellaneous
Active-Flag: 1
Priority: 3
Input-Source: 12
Log-Message: Mstream Handler->Attacker [MStreaming: ~ARGDATA0, ~ARGDATA1] from ~SRCIP
Action: 4
---Module-End---
--Module-Begin--
Name: MSTREAM Handler->Attacker [New Server] Notify
Group: Miscellaneous
Active-Flag: 1
Priority: 3
Input-Source: 12
Log-Message: Mstream Handler->Attacker [New Server] Notify from ~SRCIP
Action: 4
---Module-End---
--Module-Begin--
Name: MSTREAM Handler->Attacker [Connection From] Notify
Group: Miscellaneous
Active-Flag: 1
Priority: 3
Input-Source: 12
Log-Message: Mstream Handler->Attacker [Connection From: ~ARGDATA0] Notify from ~SRCIP
Action: 4
---Module-End---
--Module-Begin--
Name: MSTREAM Handler->Attacker [User Disconnected] Notify
Group: Miscellaneous
Active-Flag: 1
Priority: 3
Input-Source: 12
Log-Message: Mstream Handler->Attacker [User Disconnected From: ~ARGDATA0] Notify from ~SRCIP
Action: 4
---Module-End---
--Module-Begin--
Name: MSTREAM Handler->Attacker [Agent List]
Group: Miscellaneous
Active-Flag: 1
Priority: 3
Input-Source: 12
Log-Message: Mstream Handler->Attacker [Agent List] from ~SRCIP
Action: 4
---Module-End---
--Module-Begin--
Name: MSTREAM Handler->Attacker [Online List]
Group: Miscellaneous
Active-Flag: 1
Priority: 3
Input-Source: 12
Log-Message: Mstream Handler->Attacker [Online List] from ~SRCIP
Action: 4
---Module-End---
--Module-Begin--
Name: MSTREAM Handler->Attacker [Commands List]
Group: Miscellaneous
Active-Flag: 1
Priority: 3
Input-Source: 12
Log-Message: Mstream Handler->Attacker [Commands List] from ~SRCIP
Action: 4
---Module-End---
--Module-Begin--
Name: MSTREAM Handler->Attacker [Pinging Agents] Notify
Group: Miscellaneous
Active-Flag: 1
Priority: 3
Input-Source: 12
Log-Message: Mstream Handler->Attacker [Pinging Agents] Notify from ~SRCIP
Action: 4
---Module-End---
--Module-Begin--
Name: MSTREAM Handler->Attacker [Lost Connection] Notify
Group: Miscellaneous
Active-Flag: 1
Priority: 3
Input-Source: 12
Log-Message: Mstream Handler->Attacker [Lost Connection from: ~ARGDATA0] Notify from ~SRCIP
Action: 4
---Module-End---
--Module-Begin--
Name: MSTREAM Handler->Attacker [Invalid Password] Notify
Group: Miscellaneous
Active-Flag: 1
Priority: 3
Input-Source: 12
Log-Message: Mstream Handler->Attacker [Invalid Password from: ~ARGDATA0] Notify from ~SRCIP
Action: 4
---Module-End---
--Module-Begin--
Name: MSTREAM Handler->Attacker [Valid Password] Notify
Group: Miscellaneous
Active-Flag: 1
Priority: 3
Input-Source: 12
Log-Message: Mstream Handler->Attacker [Valid Password from: ~ARGDATA0] Notify from ~SRCIP
Action: 4
---Module-End---

------------ MSTREAM_Decoder.db snip ------------


----------------------------------------------
MStream SNP-L Network Activity Decoder Scripts
----------------------------------------------

These scripts perform actual "mstream" network activity decoding, parsing both
UDP and TCP transmissions. They are written in the SNP-L scripting language.
SNP-L is a highly integrated attack detection language which allows one to
decode various types of network transmissions on a high level, without regard
for host packet capture mechanisms, IP fragment reconstruction, and TCP
session reassembly.

------------ mstream_tcp.l snip ------------

/* MStream TCP Decoder SNP-L Script
*
*/


/* Utility Function: Checks whether this connection has been flagged as a
* MStream connection yet. If not, a module is triggered
* and the flag is set.
*
* Checks whether the previously entered password has
* been logged. If not, a module is triggered and the
* password flag is set accordingly.
*/
int16 checkConnectionFlagged
{
u_char (connection) *attackerPassword;
int16 (connection) attackerPasswordFlag;
int16 (connection) mstreamConnectionFlag;

/* log this mstream control connection if we havn't already */
if (mstreamConnectionFlag == 0)
{
mstreamConnectionFlag = 1;

module_trigger("MSTREAM [Attacker->Handler] Connection");
}

/* log the attacker's password if we havn't already */
if (attackerPasswordFlag == 1)
{
attackerPasswordFlag = 2;

action_set_logarg(&attackerPassword, ptrlen(&attackerPassword),
0);

module_trigger("MSTREAM Attacker->Handler [Password]");
}
}


/* MStream Attacker->Handler Command Line Decoder
*
*/
int16 processMStreamAttackerToHandlerLine(u_char *lineData)
{
u_char (connection) *attackerPassword;
int16 (connection) attackerPasswordFlag;
int32 dataLen;
u_char *ipStr;

dataLen = ptrlen(&lineData);

/* save this string as a password if this is the first
* line of data from attacker->handler
*/
if (attackerPasswordFlag == 0)
{
attackerPasswordFlag = 1;

memcpy_realloc(&attackerPassword, &lineData, dataLen);

return(0);
}

if (dataLen == 3)
{
if (strncmp(&lineData, "who", 3) == 0)
{
checkConnectionFlagged();

module_trigger(
"MSTREAM Attacker->Handler [Who] Command");
}
}
else if (dataLen == 4)
{
if (strncmp(&lineData, "help", 3) == 0)
{
checkConnectionFlagged();

module_trigger(
"MSTREAM Attacker->Handler [Help] Command");
}
else if (strncmp(&lineData, "quit", 4) == 0)
{
checkConnectionFlagged();

module_trigger(
"MSTREAM Attacker->Handler [Quit] Command");
}
else if (strncmp(&lineData, "ping", 4) == 0)
{
checkConnectionFlagged();

module_trigger(
"MSTREAM Attacker->Handler [Ping] Command");
}
}
else if (dataLen >= 6)
{
if (strncmp(&lineData, "stream", 6) == 0)
{
checkConnectionFlagged();

action_set_logarg(&lineData + 7, dataLen - 7, 0);

module_trigger(
"MSTREAM Attacker->Handler [Stream] Command");
}
else if (dataLen >= 7)
{
if (strncmp(&lineData, "mstream", 7) == 0)
{
checkConnectionFlagged();

action_set_logarg(&lineData + 8,
dataLen - 8, 0);

module_trigger(
"MSTREAM Attacker->Handler [MStream] Command");
}
else if (strncmp(&lineData, "servers", 7) == 0)
{
checkConnectionFlagged();

module_trigger(
"MSTREAM Attacker->Handler [Servers] Command");
}
}
}

return(0);
}


/* MStream Handler->Attacker Command Line Decoder
*
*/
int16 processMStreamHandlerToAttackerLine(u_char *lineData)
{
int32 dataLen;
int32 offset;
int32 oldOffset;
u_char *ipStr;

dataLen = ptrlen(&lineData);

/* Parse out any '> ' data on leading lines, to allow for
* proper extraction of handler output.
*/
if (dataLen >= 2)
{
if (strncmp(&lineData, "> ", 2) == 0)
{
checkConnectionFlagged();

memcpy_realloc(&lineData, &lineData + 2, dataLen - 2);

dataLen = dataLen - 2;
}
}

if (dataLen >= 10)
{
if (strncmp(&lineData, "Streaming ", 10) == 0)
{
offset = memmatchin(&lineData + 10, " for ");
if (offset < 0) return(0);

memcpy_realloc(&ipStr, &lineData + 10,
offset);
action_set_logarg(&ipStr, ptrlen(&ipStr), 0);

oldOffset = offset + 10 + 5;
offset = memmatchin(&lineData + oldOffset, " seconds.");
if (offset < 0) return(0);

memcpy_realloc(&ipStr, &lineData + oldOffset,
offset);
action_set_logarg(&ipStr, ptrlen(&ipStr), 1);

checkConnectionFlagged();

module_trigger(
"MSTREAM Handler->Attacker [Streaming] Notify");

return(0);
}

offset = memmatchin(&lineData, "has discon");
if (offset >= 0)
{
checkConnectionFlagged();

memcpy_realloc(&ipStr, &lineData, offset);
action_set_logarg(&ipStr, ptrlen(&ipStr), 0);

module_trigger(
"MSTREAM Handler->Attacker [User Disconnected] Notify");
}
}

if (dataLen >= 11)
{
if (strncmp(&lineData, "MStreaming ", 11) == 0)
{
offset = memmatchin(&lineData + 11, " for ");
if (offset < 0) return(0);

memcpy_realloc(&ipStr, &lineData + 11,
offset);
action_set_logarg(&ipStr, ptrlen(&ipStr), 0);

oldOffset = offset + 11 + 5;
offset = memmatchin(&lineData + oldOffset, " seconds.");
if (offset < 0) return(0);

memcpy_realloc(&ipStr, &lineData + oldOffset,
offset);
action_set_logarg(&ipStr, ptrlen(&ipStr), 1);

checkConnectionFlagged();

module_trigger(
"MSTREAM Handler->Attacker [MStreaming] Notify");

return(0);
}
}

if (dataLen >= 15)
{
if (strncmp(&lineData, "New server on ", 14) == 0)
{
checkConnectionFlagged();

memcpy_realloc(&ipStr, &lineData + 14, dataLen - 15);

action_set_logarg(&ipStr, ptrlen(&ipStr), 0);

module_trigger(
"MSTREAM Handler->Attacker [New Server] Notify");

return(0);
}
}

if (dataLen >= 16)
{
if (strncmp(&lineData, "Connection from ", 16) == 0)
{
checkConnectionFlagged();

memcpy_realloc(&ipStr, &lineData + 16, dataLen - 16);

action_set_logarg(&ipStr, ptrlen(&ipStr), 0);

module_trigger(
"MSTREAM Handler->Attacker [Connection From] Notify");

return(0);
}
}

if (dataLen >= 17)
{
if (strncmp(&lineData, "Currently Online:", 17) == 0)
{
checkConnectionFlagged();

module_trigger(
"MSTREAM Handler->Attacker [Online List]");

return(0);
}
}

if (dataLen >= 19)
{
if (strncmp(&lineData, "Available commands:", 19) == 0)
{
checkConnectionFlagged();

module_trigger(
"MSTREAM Handler->Attacker [Commands List]");

return(0);
}
}

if (dataLen >= 20)
{
if (strncmp(&lineData, "Pinging all servers.", 20) == 0)
{
checkConnectionFlagged();

module_trigger(
"MSTREAM Handler->Attacker [Pinging Agents] Notify");

return(0);
}
}

if (dataLen >= 21)
{
if (strncmp(&lineData, "Lost connection to ", 19) == 0)
{
checkConnectionFlagged();

memcpy_realloc(&ipStr, &lineData + 19, dataLen - 19);

action_set_logarg(&ipStr, ptrlen(&ipStr), 0);

module_trigger(
"MSTREAM Handler->Attacker [Lost Connection] Notify");

return(0);
}
}

if (dataLen >= 23)
{
if (strncmp(&lineData, "Invalid password from ", 22) == 0)
{
checkConnectionFlagged();

memcpy_realloc(&ipStr, &lineData + 22, dataLen - 23);

action_set_logarg(&ipStr, ptrlen(&ipStr), 0);

module_trigger(
"MSTREAM Handler->Attacker [Invalid Password] Notify");

return(0);
}
}

if (dataLen >= 27)
{
if (strncmp(&lineData, "The following ips are known", 27) == 0)
{
checkConnectionFlagged();

module_trigger(
"MSTREAM Handler->Attacker [Agent List]");
}
}

if (dataLen >= 39)
{
if (strncmp(&lineData, "Password accepted for connection from ",
38) == 0)
{
checkConnectionFlagged();

memcpy_realloc(&ipStr, &lineData + 38, dataLen - 39);

action_set_logarg(&ipStr, ptrlen(&ipStr), 0);

module_trigger(
"MSTREAM Handler->Attacker [Valid Password] Notify");

return(0);
}
}

return(0);
}


/* MStream Generic Line Parser
*
*/
int16 handleMStreamTCPData(u_char *sessionData, u_char *inData, int16 *connSide)
{
u_char *lineData;
int16 lineFlag;
int32 offset;

memcat_realloc(&sessionData, &inData);

lineFlag = 1;
while (lineFlag == 1)
{
lineFlag = 0;

if (ptrlen(&sessionData) > 0)
{
offset = memmatchin(&sessionData, "\n");
}
else
{
offset = -1;
}

if (offset > 0)
{
if (sessionData[offset - 1] == '\r')
{
/* strip \r\n */
memcpy_realloc(&lineData, &sessionData,
offset - 1);
}
else
{
/* strip \n */
memcpy_realloc(&lineData, &sessionData,
offset);
}

if (ptrlen(&lineData) > 0)
{
/* if it is attacker->handler */
if (connSide[0] == 0)
{
processMStreamAttackerToHandlerLine(
&lineData);
}
/* else it's handler->attacker data */
else
{
processMStreamHandlerToAttackerLine(
&lineData);
}
}
}
/* remove processed line from buffer if necessary */
if (offset >= 0)
{
lineFlag = 1;

memcpy_realloc(&sessionData,
&sessionData + (offset + 1),
ptrlen(&sessionData) - (offset + 1));
}
}

/* large strings with no linefeed are truncated to '~' */
if (ptrlen(&sessionData) > 2000)
{
memcpy_realloc(&sessionData, "~", 1);
}
}


/* MStream Attacker->Handler TCP Connection Handler
*
*/
int16 gotMStreamAttackerToHandlerConnection(char *inData, int16 *connSide)
{
u_char (connection) *clientSessionData;
u_char (connection) *serverSessionData;

/* if this is attacker->handler data */
if (connSide[0] == 0)
{
handleMStreamTCPData(&clientSessionData, (u_char *)&inData,
&connSide);
}
/* if this is handler->attacker data */
else
{
handleMStreamTCPData(&serverSessionData, (u_char *)&inData,
&connSide);
}
}


/* Public declarations for hooking into the SecureNet PRO IDS System
*
*/
public gotMStreamAttackerToHandlerConnection;
passer gotMStreamAttackerToHandlerConnection(stream_data, tcp_connside);


/* EOF */

------------ mstream_tcp.l snip ------------



------------ mstream_udp.l snip ------------

/* MStream UDP Decoder SNP-L Script
*/


/* MStream [Agent -> Handler] UDP Decoder
*
*/
int16 gotMStreamAgentToHandlerData(u_char *inData)
{
int32 dataLen;

dataLen = ptrlen(&inData);

if (dataLen == 9)
{
/* check for the newserver command */
if (strncmp(&inData, "newserver", 9) == 0)
{
module_trigger(
"MSTREAM Agent->Handler [NewServer] Command");
}
}
else if (dataLen == 4)
{
/* check for the pong command */
if (strncmp(&inData, "pong", 4) == 0)
{
module_trigger(
"MSTREAM Agent->Handler [Pong] Command");
}
}
}


/* Utility Function: Extracts IP and Number of Seconds from [Stream]
* and [MStream] attack commands
*
*/
int16 extractIPandSeconds(u_char *inData, u_char *ipData, u_char *secData)
{
int32 slashOffset;

slashOffset = memmatchin(&inData, "/");
if (slashOffset < 0)
{
return(-1);
}

memcpy_realloc(&ipData, &inData, slashOffset);
memcpy_realloc(&secData, &inData + slashOffset + 1,
ptrlen(&inData) - slashOffset - 1);

return(1);
}


/* MStream [Handler -> Agent] UDP Decoder
*
*/
int16 gotMStreamHandlerToAgentData(u_char *inData)
{
u_char *extractIP;
u_char *extractSecs;
int32 dataLen;

dataLen = ptrlen(&inData);

if (dataLen == 4)
{
/* check for the ping command */
if (strncmp(&inData, "ping", 4) == 0)
{
module_trigger(
"MSTREAM Handler->Agent [Ping] Command");
}
}
else if (dataLen >= 7)
{
/* check for a 'stream' attack command */
if (strncmp(&inData, "stream/", 7) == 0)
{
if (extractIPandSeconds(&inData + 7, &extractIP,
&extractSecs) < 1)
{
return(0);
}

action_set_logarg(&extractIP,
ptrlen(&extractIP), 0);
action_set_logarg(&extractSecs,
ptrlen(&extractSecs), 1);

module_trigger(
"MSTREAM Handler->Agent [Stream] Command");
}
/* check for a 'mstream' attack command */
else if (dataLen >= 8)
{
if (strncmp(&inData, "mstream/", 8) == 0)
{
if (extractIPandSeconds(&inData + 8, &extractIP,
&extractSecs) < 1)
{
return(0);
}

action_set_logarg(&extractIP,
ptrlen(&extractIP), 0);
action_set_logarg(&extractSecs,
ptrlen(&extractSecs), 1);

module_trigger(
"MSTREAM Handler->Agent [MStream] Command");
}
}
}
}


/* Public declarations for hooking into the SecureNet PRO IDS System
*
*/
public gotMStreamHandlerToAgentData;
passer gotMStreamHandlerToAgentData(udp_payload);

public gotMStreamAgentToHandlerData;
passer gotMStreamAgentToHandlerData(udp_payload);


/* EOF */

------------ mstream_udp.l snip ------------


Any comments or questions on these "mstream" decoder modules and scripts may
be sent to the following electronic mail address:

Elliot Turner <turnere@MimeStar.com>

Only registered users can write comments.
Please login or register.

Powered by AkoComment!

 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Pirate Bay founder guilty in historic hacker case
Parallels CTO: Linux container security is not the problem
Advisory says to assume all Drupal 7 websites are compromised
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.