Tuesday, March 2, 2010

Snort Signature Practice: decode.c

decode.c steps through a Snort signature changing the printable "content: |xx|" blocks to ASCII so that it is easier to read.

Using a sample (by Don Jackson of Secureworks) from Emerging Threats Virus rules:

dennis@ipa:~/projects/decode$ ./decode
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN RhiFrem Trojan Activity - cmd"; flow:to_server,established; content:"GET|20|"; offset:0; depth:4; content:"User|2D|Agent|3A 20|Mozilla|2F|5|2E|0|20|Gecko|2F|20050212|20|Firefox|2F|1|2E|5|2E|0|2E|2"; pcre:"/^GET\x20[^\x0D\x0A]+\x3Fmod\x3Dcmd\x26user\x3D\w+[^\x0D\x0A]*\x20HTTP\x2F1\x2E0\x0D\x0A.*\x0D\x0AHost\x3A\x20\w+/"; reference:url,www.castlecops.com/U_S_Courts_phish792683.html; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008139; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Rhifrem; sid:2008139; rev:3;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN RhiFrem Trojan Activity - cmd"; flow:to_server,established; content:"GET "; offset:0; depth:4; content:"User-Agent: Mozilla/5.0 Gecko/20050212 Firefox/1.5.0.2"; pcre:"/^GET\x20[^\x0D\x0A]+\x3Fmod\x3Dcmd\x26user\x3D\w+[^\x0D\x0A]*\x20HTTP\x2F1\x2E0\x0D\x0A.*\x0D\x0AHost\x3A\x20\w+/"; reference:url,www.castlecops.com/U_S_Courts_phish792683.html; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008139; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Rhifrem; sid:2008139; rev:3;)
Posted by at No comments:
Labels:

Sunday, February 21, 2010

Sockets Practice: portsweep.c

portsweep.c loops through a file of IPs and checks whether a particular port is open:

dennis@ipa:~/projects/sockets/portsweep$ ./portsweep
portsweep [-l logfile] ipfile port1[,port2,...]

dennis@ipa:~/projects/sockets/portsweep$ ./portsweep ips 22,23,80,2049
192.168.1.1: 23 80
192.168.1.101:
127.0.0.1: 22 2049
Posted by at No comments:
Labels:

Friday, February 19, 2010

Sockets Practice: location.c

location.c is a plain and simple gpsd client:

dennis@ipa:~/projects/sockets/location$ ./location
41.909431,XXX.XXXXXX
Posted by at No comments:
Labels:

Sunday, February 14, 2010

Sockets Practice: portscan.c

I've been working my way through Stevens' Unix Network Programming. One of my non-book exercises has been portscan.c:

dennis@ipa:~/projects/sockets/portscan$ ./portscan -l 127.0.0.1.log 127.0.0.1

Port scanning 127.0.0.1:

Port 13 is open.
Port 22 is open.
Port 25 is open.
Port 37 is open.
Posted by at No comments:
Labels:

Tuesday, February 9, 2010

OpenBSD + gpsd + Garmin Geko 201



Here are my notes on getting the Garmin Geko 201 GPS handheld working with the OpenBSD gpsd port.

On the Geko 201:

1) Page to and select "Setup" option.
2) Select "Interface" option.
3) Set "I/O Format" to "NMEA"
4) Set "Baud" to "4800"

I'm using a serial to USB converter (unknown type) that looks like:

uftdi0 at uhub4 port 1 "FTDI FT232R USB UART" rev 2.00/6.00 addr 2
ucom0 at uftdi0 portno 1

The associated device file for this ucom(4) is/dev/ttyU0 which I provide to gpsd:

dennis@ipa:~$ sudo gpsd /dev/ttyU0
dennis@ipa:~$

Then I test everything with the cgps (no command line options) client.
Posted by at No comments:
Labels:

Friday, January 29, 2010

koko.exe Phone Home

koko.exe does a GET request to 193.242.108.49:

GET /Dialer_Min/number.asp HTTP/1.1
Accept: */* Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 193.242.108.49
Connection: Keep-Alive

The server replies with a text file (a.b.c.d == my IP):

003727091384
US
a.b.c.d
1.8
test disclaimer

The URL and first line of the reply point to a phone number, so I polled the server to see how many phone numbers come back:

dennis@ipa:~$ for i in `seq 1 1 500`; do
> lynx -source http://193.242.108.49/Dialer_Min/number.asp | head -1 >> numbers
> done
dennis@ipa:~$ cat numbers | sort | uniq -c | sort -nr
73 0023222279883
61 01137165159890
54 01137091022348
50 01137165159892
50 003727091384
49 011239200167
47 00239200167
46 01123222279883
44 0037165159892
26 011438209216455

The phone numbers break down like this:

011438209216455
011 - US (International Direct Dialling)
43 - Austria (Country Calling Code)
820 - services with regulated max. tariffs
9216455

01137165159892
0037165159892
011/00 - US/Generic
371 - Latvia
651 - landlines for district of Aizkraukle
59892

01137165159890
011 - US
371 - Latvia
651 - landlines for district of Aizkraukle
59890

01137091022348
011 - US
370 - Lithuania
910 - premium rate numbers
22 348

011239200167
00239200167
011/00 - US/Generic
239 - Sao Tome and Principe
239200167 - couldn't track down a source on phone number format

01123222279883
0023222279883
011/00 - US/Generic
232 - Sierra Leone
22279883 - couldn't track down a source on phone number format

003727091384
00 - Generic
372 - Estonia
709 - landline
1384

References:

Virustotal
ThreatExpert
CWSandbox
Posted by at No comments:
Labels:

Wednesday, January 27, 2010

Daily Commute

Posted by at No comments:
Subscribe to: Posts (Atom)