Home > Uncategorized > Sneeze – генератор ложных срабатывания для Snort

Sneeze – генератор ложных срабатывания для Snort

May 3rd, 2009 Leave a comment Go to comments

Написан на языке Perl. Он читает файлы с описанием сигнатур атак Snort, и имитирует соответствующие атаки. Помогает тестировать качество работы системы обнаружения вторжений, а также скрывать истинные атаки среди ложных.

Установка:

1
2

$ wget http://xgu.ru/downloads/sneeze.pl
$ chmod +x sneeze.pl

Необходим так же модуль p5-Net-RawIP:

1
2

$ cd /usr/ports/net/p5-Net-RawIP
$ make install clean

Если запустить sneeze.pl без параметров, будет показано сообщение с информацией об использовании:

1
2
3
4
5
6
7
8
9

$ ./sneeze.pl
Must have EUID == 0 to use Net::RawIP, currently you are seen with EUID=1001 at ./sneeze.pl line 20
Usage ./sneeze.pl -d <dest host> -f <rule file> [options]
        -c count        Loop X times. -1 == forever. Default is 1.
        -s ip           Spoof this IP as source. Default is your IP.
        -p port         Force use of this source port.
        -i interface    Outbound interface. Default is eth0.
        -x debug        Turn on debugging information.
        -h help         Duh? This is it.

Берём описание сигнатур атак Snort и выполним имитацию DNS-атак:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

$ sudo ./sneeze.pl -i vlan3 -d case.net.ru -f /usr/local/etc/snort/rules/dns.rules
ATTACK:
 case.net.ru:20068 -> case.net.ru:34164
 
ATTACK:
 case.net.ru:26296 -> case.net.ru:54516
 
ATTACK:
 case.net.ru:21436 -> case.net.ru:43523
 
ATTACK: DNS named authors attempt
ATTACK TYPE: attempted-recon
tcp case.net.ru:44905 -> case.net.ru:53
Reference => 10728
Reference => http://www.whitehats.com/info/IDS480
 
ATTACK: DNS named authors attempt
ATTACK TYPE: attempted-recon
udp case.net.ru:65328 -> case.net.ru:53
Reference => 10728
Reference => http://www.whitehats.com/info/IDS480
 
...
 
ATTACK: DNS Windows NAT helper components tcp denial of service attempt
ATTACK TYPE: misc-attack
tcp case.net.ru:17587 -> case.net.ru:53
Reference => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-5614

В логах snort’а видим:

1
2
3
4
5
6
7
8
9
10

05/03-18:47:16.154161  [**] [1:1616:10] DNS named version attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {UDP} 213.79.110.123:39151 -> 213.79.110.123:53
05/03-18:47:16.156684  [**] [1:256:9] DNS named authors attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {UDP} 213.79.110.123:28828 -> 213.79.110.123:53
05/03-18:47:16.156684  [**] [1:1616:10] DNS named version attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {UDP} 213.79.110.123:28828 -> 213.79.110.123:53
05/03-18:47:16.157034  [**] [1:256:9] DNS named authors attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {UDP} 213.79.110.123:28828 -> 213.79.110.123:53
05/03-18:47:16.157034  [**] [1:1616:10] DNS named version attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {UDP} 213.79.110.123:28828 -> 213.79.110.123:53
 
...
 
05/03-18:47:16.159283  [**] [1:253:7] DNS SPOOF query response PTR with TTL of 1 min. and no authority [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 213.79.110.123:53 -> 213.79.110.123:42884
05/03-18:47:16.159283  [**] [1:254:7] DNS SPOOF query response with TTL of 1 min. and no authority [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 213.79.110.123:53 -> 213.79.110.123:42884

Скрипт sneeze.pl

Оригинал статьи: http://xgu.ru/wiki/Sneeze

Tags: ,
  1. No comments yet.
  1. No trackbacks yet.