Detecting and Decoding MStream Traffic
8 - 16 min read
May 02, 2000
--------------------------------------
Detecting and Decoding MStream Traffic
--------------------------------------
May 03, 2000
Copyright (C) 2000, Elliot Turner, MimeStar, Inc. All rights reserved.
Recently a distributed denial of service (DDoS) attack tool known as "mstream"
has surfaced inside the cracker and security communities. This tool allows
malicious individuals to perform denial of service attacks against target hosts
in a large-scale fashion, using a number of centrally controlled attacker
agents.
Source code for the "mstream" DDoS tool was posted to both the vuln-dev and
BUGTRAQ mailing lists on April 29, 2000.
A detailed analysis of the "mstream" tool was posted to both the vuln-dev and
BUGTRAQ mailing lists on May 01, 2000.
In response to the surfacing of this attack tool and the published analysis
of its inner workings, we have developed a set of SNP-L scripts and attack
signatures which allow one to detect and decode "mstream" network activity.
Many thanks go out to the following individuals, for their work in developing
the analysis of the "mstream" tool and its workings:
David Dittrich
George Weaver
Sven Dietrich
Neil Long
The "mstream" analysis provides detailed information regarding the workings of
this DDoS tool, and is a highly suggested read.
Using the attack signature modules and SNP-L scripts included in this write-up,
one can detect and decode "mstream" network activity. Decoding of the following
transmissions is supported:
Attacker <-> Handler TCP Control Connections
Handler -> Agent UDP Control Messages
Agent -> Handler UDP Control Messages
These modules and scripts are designed to detect "mstream" activity for the
following variations of this tool:
"in the wild" (referenced in the "mstream" analysis)
published source
recovered source
It should be understood that since the source code to the "mstream" DDoS tool
has been made publicly available it is possible for one to be sufficiently
change the tool to evade detection by the included modules and scripts.
The modules and scripts included in this write-up are designed for use with
the SecureNet PRO Network Monitoring and Intrusion Detection Platform. This
is a commercial intrusion detection package. However, a version of SecureNet
PRO is freely available for download from MicroNetics, Inc.
(http://www.micronetics.net)
Additional information on the SecureNet PRO Network Monitoring and Intrusion
Detection Platform is available at (http://mimestar.com/).
The scripts and modules included with this write-up attempt to intelligently
parse "mstream" network transmission. This is done to reduce the potential
for both false positives and false negatives. These modules may be easily
modified to detect "mstream" traffic on different port combinations or
variations of the content of actual transmissions.
------------------------------
MStream Attack Signatures List
------------------------------
- Decoder Modules
1. MSTREAM Attacker->Handler TCP Decoder
2. MSTREAM Agent->Handler UDP Decoder
3. MSTREAM Handler->Agent UDP Decoder
- Agent->Handler Modules
4. MSTREAM Agent->Handler [NewServer] Command
5. MSTREAM Agent->Handler [Pong] Command
- Handler->Agent Modules
6. MSTREAM Handler->Agent [Ping] Command
7. MSTREAM Handler->Agent [Stream] Command
8. MSTREAM Handler->Agent [MStream] Command
- Attacker->Handler Modules
9. MSTREAM Attacker->Handler [Connection]
10. MSTREAM Attacker->Handler [Password]
11. MSTREAM Attacker->Handler [Who] Command
12. MSTREAM Attacker->Handler [Help] Command
13. MSTREAM Attacker->Handler [Ping] Command
14. MSTREAM Attacker->Handler [Quit] Command
15. MSTREAM Attacker->Handler [Stream] Command
16. MSTREAM Attacker->Handler [MStream] Command
17. MSTREAM Attacker->Handler [Servers] Command
- Handler->Attacker Modules
18. MSTREAM Handler->Attacker [Streaming] Notify
19. MSTREAM Handler->Attacker [MStreaming] Notify
20. MSTREAM Handler->Attacker [New Server] Notify
21. MSTREAM Handler->Attacker [Connection From] Notify
22. MSTREAM Handler->Attacker [Online List]
23. MSTREAM Handler->Attacker [Commands List]
24. MSTREAM Handler->Attacker [Pinging Agents] Notify
25. MSTREAM Handler->Attacker [Lost Connection] Notify
26. MSTREAM Handler->Attacker [Invalid Password] Notify
27. MSTREAM Handler->Attacker [Valid Password] Notify
28. MSTREAM Handler->Attacker [Agent List]
29. MSTREAM Handler->Attacker [User Disconnected] Notify
--------------------------------
MStream Attack Signature Modules
--------------------------------
These modules serve a dual purpose: hooks between the SecureNet PRO System and
SNP-L Network Activity Decoder Scripts and event triggers which allow one to
be notified of "mstream" activity.
------------ MSTREAM_Decoder.db snip ------------
--Module-Begin--
Name: MSTREAM Attacker->Handler TCP Decoder
Group: Miscellaneous
Active-Flag: 1
Priority: 3
Input-Source: 0
Dest-Port: 6723, 15104, 12754
Analysis-Script: gotMStreamAttackerToHandlerConnection
Action: 4
---Module-End---
--Module-Begin--
Name: MSTREAM Agent->Handler UDP Decoder
Group: Miscellaneous
Active-Flag: 1
Priority: 3
Input-Source: 2
Dest-Port: 9325, 6838
Analysis-Script: gotMStreamAgentToHandlerData
Action: 4
---Module-End---
--Module-Begin--
Name: MSTREAM Handler->Agent UDP Decoder
Group: Miscellaneous
Active-Flag: 1
Priority: 3
Input-Source: 2
Dest-Port: 7983, 10498
Analysis-Script: gotMStreamHandlerToAgentData
Action: 4
---Module-End---
--Module-Begin--
Name: MSTREAM Agent->Handler [NewServer] Command
Group: Miscellaneous
Active-Flag: 1
Priority: 3
Input-Source: 12
Log-Message: Mstream Agent->Handler [NewServer] Command from ~SRCIP
Action: 4
---Module-End---
--Module-Begin--
Name: MSTREAM Agent->Handler [Pong] Command
Group: Miscellaneous
Active-Flag: 1
Priority: 3
Input-Source: 12
Log-Message: Mstream Agent->Handler [Pong] Command from ~SRCIP
Action: 4
---Module-End---
--Module-Begin--
Name: MSTREAM Handler->Agent [Ping] Command
Group: Miscellaneous
Active-Flag: 1
Priority: 3
Input-Source: 12
Log-Message: Mstream Handler->Agent [Ping] Command from ~SRCIP
Action: 4
---Module-End---
--Module-Begin--
Name: MSTREAM Handler->Agent [Stream] Command
Group: Miscellaneous
Active-Flag: 1
Priority: 3
Input-Source: 12
Log-Message: Mstream Handler->Agent [Stream: ~ARGDATA0, ~ARGDATA1] Command from ~SRCIP
Action: 4
---Module-End---
--Module-Begin--
Name: MSTREAM Handler->Agent [MStream] Command
Group: Miscellaneous
Active-Flag: 1
Priority: 3
Input-Source: 12
Log-Message: Mstream Handler->Agent [MStream: ~ARGDATA0, ~ARGDATA1] Command from ~SRCIP
Action: 4
---Module-End---
--Module-Begin--
Name: MSTREAM [Attacker->Handler] Connection
Group: Miscellaneous
Active-Flag: 1
Priority: 3
Input-Source: 12
Log-Message: Mstream Attacker->Handler Connection from ~SRCIP
Action: 4
---Module-End---
--Module-Begin--
Name: MSTREAM Attacker->Handler [Password]
Group: Miscellaneous
Active-Flag: 1
Priority: 3
Input-Source: 12
Log-Message: Mstream Attacker->Handler Password [~ARGDATA0] from ~SRCIP
Action: 4
---Module-End---
--Module-Begin--
Name: MSTREAM Attacker->Handler [Who] Command
Group: Miscellaneous
Active-Flag: 1
Priority: 3
Input-Source: 12
Log-Message: Mstream Attacker->Handler [Who] Command from ~SRCIP
Action: 4
---Module-End---
--Module-Begin--
Name: MSTREAM Attacker->Handler [Help] Command
Group: Miscellaneous
Active-Flag: 1
Priority: 3
Input-Source: 12
Log-Message: Mstream Attacker->Handler [Help] Command from ~SRCIP
Action: 4
---Module-End---
--Module-Begin--
Name: MSTREAM Attacker->Handler [Ping] Command
Group: Miscellaneous
Active-Flag: 1
Priority: 3
Input-Source: 12
Log-Message: Mstream Attacker->Handler [Ping] Command from ~SRCIP
Action: 4
---Module-End---
--Module-Begin--
Name: MSTREAM Attacker->Handler [Quit] Command
Group: Miscellaneous
Active-Flag: 1
Priority: 3
Input-Source: 12
Log-Message: Mstream Attacker->Handler [Quit] Command from ~SRCIP
Action: 4
---Module-End---
--Module-Begin--
Name: MSTREAM Attacker->Handler [Stream] Command
Group: Miscellaneous
Active-Flag: 1
Priority: 3
Input-Source: 12
Log-Message: Mstream Attacker->Handler [Stream: ~ARGDATA0] from ~SRCIP
Action: 4
---Module-End---
--Module-Begin--
Name: MSTREAM Attacker->Handler [MStream] Command
Group: Miscellaneous
Active-Flag: 1
Priority: 3
Input-Source: 12
Log-Message: Mstream Attacker->Handler [MStream: ~ARGDATA0] from ~SRCIP
Action: 4
---Module-End---
--Module-Begin--
Name: MSTREAM Attacker->Handler [Servers] Command
Group: Miscellaneous
Active-Flag: 1
Priority: 3
Input-Source: 12
Log-Message: Mstream Attacker->Handler [Servers] Command from ~SRCIP
Action: 4
---Module-End---
--Module-Begin--
Name: MSTREAM Handler->Attacker [Streaming] Notify
Group: Miscellaneous
Active-Flag: 1
Priority: 3
Input-Source: 12
Log-Message: Mstream Handler->Attacker [Streaming: ~ARGDATA0, ~ARGDATA1] from ~SRCIP
Action: 4
---Module-End---
--Module-Begin--
Name: MSTREAM Handler->Attacker [MStreaming] Notify
Group: Miscellaneous
Active-Flag: 1
Priority: 3
Input-Source: 12
Log-Message: Mstream Handler->Attacker [MStreaming: ~ARGDATA0, ~ARGDATA1] from ~SRCIP
Action: 4
---Module-End---
--Module-Begin--
Name: MSTREAM Handler->Attacker [New Server] Notify
Group: Miscellaneous
Active-Flag: 1
Priority: 3
Input-Source: 12
Log-Message: Mstream Handler->Attacker [New Server] Notify from ~SRCIP
Action: 4
---Module-End---
--Module-Begin--
Name: MSTREAM Handler->Attacker [Connection From] Notify
Group: Miscellaneous
Active-Flag: 1
Priority: 3
Input-Source: 12
Log-Message: Mstream Handler->Attacker [Connection From: ~ARGDATA0] Notify from ~SRCIP
Action: 4
---Module-End---
--Module-Begin--
Name: MSTREAM Handler->Attacker [User Disconnected] Notify
Group: Miscellaneous
Active-Flag: 1
Priority: 3
Input-Source: 12
Log-Message: Mstream Handler->Attacker [User Disconnected From: ~ARGDATA0] Notify from ~SRCIP
Action: 4
---Module-End---
--Module-Begin--
Name: MSTREAM Handler->Attacker [Agent List]
Group: Miscellaneous
Active-Flag: 1
Priority: 3
Input-Source: 12
Log-Message: Mstream Handler->Attacker [Agent List] from ~SRCIP
Action: 4
---Module-End---
--Module-Begin--
Name: MSTREAM Handler->Attacker [Online List]
Group: Miscellaneous
Active-Flag: 1
Priority: 3
Input-Source: 12
Log-Message: Mstream Handler->Attacker [Online List] from ~SRCIP
Action: 4
---Module-End---
--Module-Begin--
Name: MSTREAM Handler->Attacker [Commands List]
Group: Miscellaneous
Active-Flag: 1
Priority: 3
Input-Source: 12
Log-Message: Mstream Handler->Attacker [Commands List] from ~SRCIP
Action: 4
---Module-End---
--Module-Begin--
Name: MSTREAM Handler->Attacker [Pinging Agents] Notify
Group: Miscellaneous
Active-Flag: 1
Priority: 3
Input-Source: 12
Log-Message: Mstream Handler->Attacker [Pinging Agents] Notify from ~SRCIP
Action: 4
---Module-End---
--Module-Begin--
Name: MSTREAM Handler->Attacker [Lost Connection] Notify
Group: Miscellaneous
Active-Flag: 1
Priority: 3
Input-Source: 12
Log-Message: Mstream Handler->Attacker [Lost Connection from: ~ARGDATA0] Notify from ~SRCIP
Action: 4
---Module-End---
--Module-Begin--
Name: MSTREAM Handler->Attacker [Invalid Password] Notify
Group: Miscellaneous
Active-Flag: 1
Priority: 3
Input-Source: 12
Log-Message: Mstream Handler->Attacker [Invalid Password from: ~ARGDATA0] Notify from ~SRCIP
Action: 4
---Module-End---
--Module-Begin--
Name: MSTREAM Handler->Attacker [Valid Password] Notify
Group: Miscellaneous
Active-Flag: 1
Priority: 3
Input-Source: 12
Log-Message: Mstream Handler->Attacker [Valid Password from: ~ARGDATA0] Notify from ~SRCIP
Action: 4
---Module-End---
------------ MSTREAM_Decoder.db snip ------------
----------------------------------------------
MStream SNP-L Network Activity Decoder Scripts
----------------------------------------------
These scripts perform actual "mstream" network activity decoding, parsing both
UDP and TCP transmissions. They are written in the SNP-L scripting language.
SNP-L is a highly integrated attack detection language which allows one to
decode various types of network transmissions on a high level, without regard
for host packet capture mechanisms, IP fragment reconstruction, and TCP
session reassembly.
------------ mstream_tcp.l snip ------------
/* MStream TCP Decoder SNP-L Script
*
*/
/* Utility Function: Checks whether this connection has been flagged as a
* MStream connection yet. If not, a module is triggered
* and the flag is set.
*
* Checks whether the previously entered password has
* been logged. If not, a module is triggered and the
* password flag is set accordingly.
*/
int16 checkConnectionFlagged
{
u_char (connection) *attackerPassword;
int16 (connection) attackerPasswordFlag;
int16 (connection) mstreamConnectionFlag;
/* log this mstream control connection if we havn't already */
if (mstreamConnectionFlag == 0)
{
mstreamConnectionFlag = 1;
module_trigger("MSTREAM [Attacker->Handler] Connection");
}
/* log the attacker's password if we havn't already */
if (attackerPasswordFlag == 1)
{
attackerPasswordFlag = 2;
action_set_logarg(&attackerPassword, ptrlen(&attackerPassword),
0);
module_trigger("MSTREAM Attacker->Handler [Password]");
}
}
/* MStream Attacker->Handler Command Line Decoder
*
*/
int16 processMStreamAttackerToHandlerLine(u_char *lineData)
{
u_char (connection) *attackerPassword;
int16 (connection) attackerPasswordFlag;
int32 dataLen;
u_char *ipStr;
dataLen = ptrlen(&lineData);
/* save this string as a password if this is the first
* line of data from attacker->handler
*/
if (attackerPasswordFlag == 0)
{
attackerPasswordFlag = 1;
memcpy_realloc(&attackerPassword, &lineData, dataLen);
return(0);
}
if (dataLen == 3)
{
if (strncmp(&lineData, "who", 3) == 0)
{
checkConnectionFlagged();
module_trigger(
"MSTREAM Attacker->Handler [Who] Command");
}
}
else if (dataLen == 4)
{
if (strncmp(&lineData, "help", 3) == 0)
{
checkConnectionFlagged();
module_trigger(
"MSTREAM Attacker->Handler [Help] Command");
}
else if (strncmp(&lineData, "quit", 4) == 0)
{
checkConnectionFlagged();
module_trigger(
"MSTREAM Attacker->Handler [Quit] Command");
}
else if (strncmp(&lineData, "ping", 4) == 0)
{
checkConnectionFlagged();
module_trigger(
"MSTREAM Attacker->Handler [Ping] Command");
}
}
else if (dataLen >= 6)
{
if (strncmp(&lineData, "stream", 6) == 0)
{
checkConnectionFlagged();
action_set_logarg(&lineData + 7, dataLen - 7, 0);
module_trigger(
"MSTREAM Attacker->Handler [Stream] Command");
}
else if (dataLen >= 7)
{
if (strncmp(&lineData, "mstream", 7) == 0)
{
checkConnectionFlagged();
action_set_logarg(&lineData + 8,
dataLen - 8, 0);
module_trigger(
"MSTREAM Attacker->Handler [MStream] Command");
}
else if (strncmp(&lineData, "servers", 7) == 0)
{
checkConnectionFlagged();
module_trigger(
"MSTREAM Attacker->Handler [Servers] Command");
}
}
}
return(0);
}
/* MStream Handler->Attacker Command Line Decoder
*
*/
int16 processMStreamHandlerToAttackerLine(u_char *lineData)
{
int32 dataLen;
int32 offset;
int32 oldOffset;
u_char *ipStr;
dataLen = ptrlen(&lineData);
/* Parse out any '> ' data on leading lines, to allow for
* proper extraction of handler output.
*/
if (dataLen >= 2)
{
if (strncmp(&lineData, "> ", 2) == 0)
{
checkConnectionFlagged();
memcpy_realloc(&lineData, &lineData + 2, dataLen - 2);
dataLen = dataLen - 2;
}
}
if (dataLen >= 10)
{
if (strncmp(&lineData, "Streaming ", 10) == 0)
{
offset = memmatchin(&lineData + 10, " for ");
if (offset < 0) return(0);
memcpy_realloc(&ipStr, &lineData + 10,
offset);
action_set_logarg(&ipStr, ptrlen(&ipStr), 0);
oldOffset = offset + 10 + 5;
offset = memmatchin(&lineData + oldOffset, " seconds.");
if (offset < 0) return(0);
memcpy_realloc(&ipStr, &lineData + oldOffset,
offset);
action_set_logarg(&ipStr, ptrlen(&ipStr), 1);
checkConnectionFlagged();
module_trigger(
"MSTREAM Handler->Attacker [Streaming] Notify");
return(0);
}
offset = memmatchin(&lineData, "has discon");
if (offset >= 0)
{
checkConnectionFlagged();
memcpy_realloc(&ipStr, &lineData, offset);
action_set_logarg(&ipStr, ptrlen(&ipStr), 0);
module_trigger(
"MSTREAM Handler->Attacker [User Disconnected] Notify");
}
}
if (dataLen >= 11)
{
if (strncmp(&lineData, "MStreaming ", 11) == 0)
{
offset = memmatchin(&lineData + 11, " for ");
if (offset < 0) return(0);
memcpy_realloc(&ipStr, &lineData + 11,
offset);
action_set_logarg(&ipStr, ptrlen(&ipStr), 0);
oldOffset = offset + 11 + 5;
offset = memmatchin(&lineData + oldOffset, " seconds.");
if (offset < 0) return(0);
memcpy_realloc(&ipStr, &lineData + oldOffset,
offset);
action_set_logarg(&ipStr, ptrlen(&ipStr), 1);
checkConnectionFlagged();
module_trigger(
"MSTREAM Handler->Attacker [MStreaming] Notify");
return(0);
}
}
if (dataLen >= 15)
{
if (strncmp(&lineData, "New server on ", 14) == 0)
{
checkConnectionFlagged();
memcpy_realloc(&ipStr, &lineData + 14, dataLen - 15);
action_set_logarg(&ipStr, ptrlen(&ipStr), 0);
module_trigger(
"MSTREAM Handler->Attacker [New Server] Notify");
return(0);
}
}
if (dataLen >= 16)
{
if (strncmp(&lineData, "Connection from ", 16) == 0)
{
checkConnectionFlagged();
memcpy_realloc(&ipStr, &lineData + 16, dataLen - 16);
action_set_logarg(&ipStr, ptrlen(&ipStr), 0);
module_trigger(
"MSTREAM Handler->Attacker [Connection From] Notify");
return(0);
}
}
if (dataLen >= 17)
{
if (strncmp(&lineData, "Currently Online:", 17) == 0)
{
checkConnectionFlagged();
module_trigger(
"MSTREAM Handler->Attacker [Online List]");
return(0);
}
}
if (dataLen >= 19)
{
if (strncmp(&lineData, "Available commands:", 19) == 0)
{
checkConnectionFlagged();
module_trigger(
"MSTREAM Handler->Attacker [Commands List]");
return(0);
}
}
if (dataLen >= 20)
{
if (strncmp(&lineData, "Pinging all servers.", 20) == 0)
{
checkConnectionFlagged();
module_trigger(
"MSTREAM Handler->Attacker [Pinging Agents] Notify");
return(0);
}
}
if (dataLen >= 21)
{
if (strncmp(&lineData, "Lost connection to ", 19) == 0)
{
checkConnectionFlagged();
memcpy_realloc(&ipStr, &lineData + 19, dataLen - 19);
action_set_logarg(&ipStr, ptrlen(&ipStr), 0);
module_trigger(
"MSTREAM Handler->Attacker [Lost Connection] Notify");
return(0);
}
}
if (dataLen >= 23)
{
if (strncmp(&lineData, "Invalid password from ", 22) == 0)
{
checkConnectionFlagged();
memcpy_realloc(&ipStr, &lineData + 22, dataLen - 23);
action_set_logarg(&ipStr, ptrlen(&ipStr), 0);
module_trigger(
"MSTREAM Handler->Attacker [Invalid Password] Notify");
return(0);
}
}
if (dataLen >= 27)
{
if (strncmp(&lineData, "The following ips are known", 27) == 0)
{
checkConnectionFlagged();
module_trigger(
"MSTREAM Handler->Attacker [Agent List]");
}
}
if (dataLen >= 39)
{
if (strncmp(&lineData, "Password accepted for connection from ",
38) == 0)
{
checkConnectionFlagged();
memcpy_realloc(&ipStr, &lineData + 38, dataLen - 39);
action_set_logarg(&ipStr, ptrlen(&ipStr), 0);
module_trigger(
"MSTREAM Handler->Attacker [Valid Password] Notify");
return(0);
}
}
return(0);
}
/* MStream Generic Line Parser
*
*/
int16 handleMStreamTCPData(u_char *sessionData, u_char *inData, int16 *connSide)
{
u_char *lineData;
int16 lineFlag;
int32 offset;
memcat_realloc(&sessionData, &inData);
lineFlag = 1;
while (lineFlag == 1)
{
lineFlag = 0;
if (ptrlen(&sessionData) > 0)
{
offset = memmatchin(&sessionData, "\n");
}
else
{
offset = -1;
}
if (offset > 0)
{
if (sessionData[offset - 1] == '\r')
{
/* strip \r\n */
memcpy_realloc(&lineData, &sessionData,
offset - 1);
}
else
{
/* strip \n */
memcpy_realloc(&lineData, &sessionData,
offset);
}
if (ptrlen(&lineData) > 0)
{
/* if it is attacker->handler */
if (connSide[0] == 0)
{
processMStreamAttackerToHandlerLine(
&lineData);
}
/* else it's handler->attacker data */
else
{
processMStreamHandlerToAttackerLine(
&lineData);
}
}
}
/* remove processed line from buffer if necessary */
if (offset >= 0)
{
lineFlag = 1;
memcpy_realloc(&sessionData,
&sessionData + (offset + 1),
ptrlen(&sessionData) - (offset + 1));
}
}
/* large strings with no linefeed are truncated to '~' */
if (ptrlen(&sessionData) > 2000)
{
memcpy_realloc(&sessionData, "~", 1);
}
}
/* MStream Attacker->Handler TCP Connection Handler
*
*/
int16 gotMStreamAttackerToHandlerConnection(char *inData, int16 *connSide)
{
u_char (connection) *clientSessionData;
u_char (connection) *serverSessionData;
/* if this is attacker->handler data */
if (connSide[0] == 0)
{
handleMStreamTCPData(&clientSessionData, (u_char *)&inData,
&connSide);
}
/* if this is handler->attacker data */
else
{
handleMStreamTCPData(&serverSessionData, (u_char *)&inData,
&connSide);
}
}
/* Public declarations for hooking into the SecureNet PRO IDS System
*
*/
public gotMStreamAttackerToHandlerConnection;
passer gotMStreamAttackerToHandlerConnection(stream_data, tcp_connside);
/* EOF */
------------ mstream_tcp.l snip ------------
------------ mstream_udp.l snip ------------
/* MStream UDP Decoder SNP-L Script------------ mstream_udp.l snip ------------
*/
/* MStream [Agent -> Handler] UDP Decoder
*
*/
int16 gotMStreamAgentToHandlerData(u_char *inData)
{
int32 dataLen;
dataLen = ptrlen(&inData);
if (dataLen == 9)
{
/* check for the newserver command */
if (strncmp(&inData, "newserver", 9) == 0)
{
module_trigger(
"MSTREAM Agent->Handler [NewServer] Command");
}
}
else if (dataLen == 4)
{
/* check for the pong command */
if (strncmp(&inData, "pong", 4) == 0)
{
module_trigger(
"MSTREAM Agent->Handler [Pong] Command");
}
}
}
/* Utility Function: Extracts IP and Number of Seconds from [Stream]
* and [MStream] attack commands
*
*/
int16 extractIPandSeconds(u_char *inData, u_char *ipData, u_char *secData)
{
int32 slashOffset;
slashOffset = memmatchin(&inData, "/");
if (slashOffset < 0)
{
return(-1);
}
memcpy_realloc(&ipData, &inData, slashOffset);
memcpy_realloc(&secData, &inData + slashOffset + 1,
ptrlen(&inData) - slashOffset - 1);
return(1);
}
/* MStream [Handler -> Agent] UDP Decoder
*
*/
int16 gotMStreamHandlerToAgentData(u_char *inData)
{
u_char *extractIP;
u_char *extractSecs;
int32 dataLen;
dataLen = ptrlen(&inData);
if (dataLen == 4)
{
/* check for the ping command */
if (strncmp(&inData, "ping", 4) == 0)
{
module_trigger(
"MSTREAM Handler->Agent [Ping] Command");
}
}
else if (dataLen >= 7)
{
/* check for a 'stream' attack command */
if (strncmp(&inData, "stream/", 7) == 0)
{
if (extractIPandSeconds(&inData + 7, &extractIP,
&extractSecs) < 1)
{
return(0);
}
action_set_logarg(&extractIP,
ptrlen(&extractIP), 0);
action_set_logarg(&extractSecs,
ptrlen(&extractSecs), 1);
module_trigger(
"MSTREAM Handler->Agent [Stream] Command");
}
/* check for a 'mstream' attack command */
else if (dataLen >= 8)
{
if (strncmp(&inData, "mstream/", 8) == 0)
{
if (extractIPandSeconds(&inData + 8, &extractIP,
&extractSecs) < 1)
{
return(0);
}
action_set_logarg(&extractIP,
ptrlen(&extractIP), 0);
action_set_logarg(&extractSecs,
ptrlen(&extractSecs), 1);
module_trigger(
"MSTREAM Handler->Agent [MStream] Command");
}
}
}
}
/* Public declarations for hooking into the SecureNet PRO IDS System
*
*/
public gotMStreamHandlerToAgentData;
passer gotMStreamHandlerToAgentData(udp_payload);
public gotMStreamAgentToHandlerData;
passer gotMStreamAgentToHandlerData(udp_payload);
/* EOF */
Any comments or questions on these "mstream" decoder modules and scripts may
be sent to the following electronic mail address:
Elliot Turner <turnere@MimeStar.com>
Related Articles
1 - 0 min read
Spectre V2: A New Threat to Linux Systems
1 - 0 min read
Hacked VMs Reveal New Attack Risks
1 - 0 min read
Multiple Chromium DoS, Info Disclosure Vulns Fixed [Updated]
