[152760] in North American Network Operators' Group
Re: Protocols for Testing Intrusion Detection?
daemon@ATHENA.MIT.EDU (valdis.kletnieks@vt.edu)
Tue May 15 11:25:20 2012
To: Bill Stewart <nonobvious@gmail.com>
In-Reply-To: Your message of "Mon, 14 May 2012 16:52:36 -0700."
<CAD45i01reSDHH=fvm=EPHhuHDdynkJ9u2K8rLTYvC5_dJx048w@mail.gmail.com>
From: valdis.kletnieks@vt.edu
Date: Tue, 15 May 2012 11:23:15 -0400
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--==_Exmh_1337095395_2773P
Content-Type: multipart/mixed ;
boundary="==_Exmh_1337095325_27730"
This is a multipart MIME message.
--==_Exmh_1337095325_27730
Content-Type: text/plain; charset=us-ascii
On Mon, 14 May 2012 16:52:36 -0700, Bill Stewart said:
> - Is there any application that can actually set the RFC3514 Evil Bit?
Here ya go. hping3 patch. Swiss army knives always need one more blade...
--==_Exmh_1337095325_27730
Content-Type: application/x-patch ; name="hping3.3514.patch"
Content-Description: hping3.3514.patch
Content-Disposition: attachment; filename="hping3.3514.patch"
--- hping3-20051105/globals.h.3514 2007-04-27 16:14:42.000000000 -0400
+++ hping3-20051105/globals.h 2007-04-27 16:14:52.000000000 -0400
@@ -84,6 +84,7 @@ extern int opt_debug,
opt_rand_source,
opt_lsrr,
opt_ssrr,
+ opt_3514,
opt_beep,
opt_flood,
tcp_exitcode,
--- hping3-20051105/main.c.3514 2007-04-27 16:14:42.000000000 -0400
+++ hping3-20051105/main.c 2007-04-27 16:14:52.000000000 -0400
@@ -102,6 +102,7 @@ int
opt_rand_source = FALSE,
opt_lsrr = FALSE,
opt_ssrr = FALSE,
+ opt_3514 = FALSE,
opt_cplt_rte = FALSE,
opt_beep = FALSE,
opt_flood = FALSE,
--- hping3-20051105/parseoptions.c.3514 2007-04-27 16:14:42.000000000 -0400
+++ hping3-20051105/parseoptions.c 2007-04-27 16:14:52.000000000 -0400
@@ -32,7 +32,7 @@ enum { OPT_COUNT, OPT_INTERVAL, OPT_NUME
OPT_ICMP_IPLEN, OPT_ICMP_IPID, OPT_ICMP_IPPROTO, OPT_ICMP_CKSUM,
OPT_ICMP_TS, OPT_ICMP_ADDR, OPT_TCPEXITCODE, OPT_FAST, OPT_TR_KEEP_TTL,
OPT_TCP_TIMESTAMP, OPT_TR_STOP, OPT_TR_NO_RTT, OPT_ICMP_HELP,
- OPT_RAND_DEST, OPT_RAND_SOURCE, OPT_LSRR, OPT_SSRR, OPT_ROUTE_HELP,
+ OPT_RAND_DEST, OPT_RAND_SOURCE, OPT_LSRR, OPT_SSRR, OPT_3514, OPT_ROUTE_HELP,
OPT_ICMP_IPSRC, OPT_ICMP_IPDST, OPT_ICMP_SRCPORT, OPT_ICMP_DSTPORT,
OPT_ICMP_GW, OPT_FORCE_ICMP, OPT_APD_SEND, OPT_SCAN, OPT_FASTER,
OPT_BEEP, OPT_FLOOD };
@@ -114,6 +114,7 @@ static struct ago_optlist hping_optlist[
{ '\0', "rand-source", OPT_RAND_SOURCE, AGO_NOARG },
{ '\0', "lsrr", OPT_LSRR, AGO_NEEDARG|AGO_EXCEPT0 },
{ '\0', "ssrr", OPT_SSRR, AGO_NEEDARG|AGO_EXCEPT0 },
+ { '\0', "evil", OPT_3514, AGO_NOARG },
{ '\0', "route-help", OPT_ROUTE_HELP, AGO_NOARG },
{ '\0', "apd-send", OPT_APD_SEND, AGO_NEEDARG },
{ '\0', "icmp-ipsrc", OPT_ICMP_IPSRC, AGO_NEEDARG|AGO_EXCEPT0 },
@@ -540,6 +541,9 @@ int parse_options(int argc, char **argv)
"strong source route");
ssr[0] = 137;
break;
+ case OPT_3514:
+ opt_3514 = TRUE;
+ break;
case OPT_ROUTE_HELP:
route_help();
break;
--- hping3-20051105/sendip.c.3514 2007-04-27 16:14:42.000000000 -0400
+++ hping3-20051105/sendip.c 2007-04-27 16:14:52.000000000 -0400
@@ -78,11 +78,13 @@ void send_ip (char* src, char *dst, char
/* NetBSD */
ip->frag_off |= more_fragments;
ip->frag_off |= fragoff >> 3;
+ if (opt_3514) ip->frag_off |= 1<<15;
#else
/* Linux */
/* OpenBSD */
ip->frag_off |= htons(more_fragments);
ip->frag_off |= htons(fragoff >> 3); /* shift three flags bit */
+ if (opt_3514) ip->frag_off |= (htons(1<<15));
#endif
ip->ttl = src_ttl;
--- hping3-20051105/usage.c.3514 2007-04-27 16:14:42.000000000 -0400
+++ hping3-20051105/usage.c 2007-04-27 16:14:52.000000000 -0400
@@ -57,6 +57,7 @@ void show_usage(void)
" -G --rroute includes RECORD_ROUTE option and display the route buffer\n"
" --lsrr loose source routing and record route\n"
" --ssrr strict source routing and record route\n"
+" --evil set the RFC3514 IP header bit\n"
" -H --ipproto set the IP protocol field, only in RAW IP mode\n"
"ICMP\n"
" -C --icmptype icmp type (default echo request)\n"
--==_Exmh_1337095325_27730--
--==_Exmh_1337095395_2773P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iQIVAwUBT7J04wdmEQWDXROgAQJ1vhAAsDdw2+OU4P1z/4FfB1tbHCdx0beAK1ml
zb2UFOeFtJdmxuD+fd5nG7mpuXfY5Nbpp/T15PVLY/aaI7NrBglxriyflrIFlLhc
eMFT2kG7tHob3YZT0anka+RGuihZFb7bIMnqJuZtoamNDq9DQHqL5zx+mOkqNIn8
YajqZglZjE9s5ySqrD2vKXojzvWE0c2ZnrBdQjej7r7qqe3B9OjnkBrlpcWC/53W
lHgaWREFf3i7ISWt8+xmnf/SATr2GewkC8S6Zxl6iAJO3dZcV0HwGzmVzjmIuYDz
O/eFzfLdytpbXoZk7dN4hWt396ulBwZGLr6GDHbQPqx5Yplwauko+W0U/OxD/owI
JoEJHopCv2MYu170Fe3i9kQ2KFA/rPPNwBgDipyuOOIHbXl0dVX7jX1HMB1WEAZd
bx8eUfLYvQeuqw17mFDHs2vR4GS2cfggdds9gHaLGBNzwCYoeeYfN5C4UWYlS9t2
GCqEj7XV4qvA/2jszv3T71JGlrstpz2ldwF7OrJyL8yG7VRIior53ZaMEvDj1BW7
tpnuv7SqoHVP9KWwbtAxREhETs46lxKED1pQjBkY7r16bzIzlPmIUL+vwx/y5NXh
SObvxTgX8xubRxRY0z2eWlvIWfRHupuLdMjeoKX3kUFtjC1pswdDdwDAVinfq0tU
Q6oeNA8q2XY=
=Odjm
-----END PGP SIGNATURE-----
--==_Exmh_1337095395_2773P--
