Re: Protocols for Testing Intrusion Detection?

[valdis . kletnieks]

On Mon, 14 May 2012 16:52:36 -0700, Bill Stewart said:
> - Is there any application that can actually set the RFC3514 Evil Bit?

Here ya go. hping3 patch. Swiss army knives always need one more blade...

--- hping3-20051105/globals.h.3514	2007-04-27 16:14:42.000000000 -0400
+++ hping3-20051105/globals.h	2007-04-27 16:14:52.000000000 -0400
@@ -84,6 +84,7 @@ extern int	opt_debug,
 		opt_rand_source,
 		opt_lsrr,
 		opt_ssrr,
+		opt_3514,
 		opt_beep,
 		opt_flood,
 		tcp_exitcode,
--- hping3-20051105/main.c.3514	2007-04-27 16:14:42.000000000 -0400
+++ hping3-20051105/main.c	2007-04-27 16:14:52.000000000 -0400
@@ -102,6 +102,7 @@ int
 	opt_rand_source	= FALSE,
 	opt_lsrr        = FALSE,
 	opt_ssrr        = FALSE,
+	opt_3514	= FALSE,
 	opt_cplt_rte    = FALSE,
 	opt_beep	= FALSE,
 	opt_flood	= FALSE,
--- hping3-20051105/parseoptions.c.3514	2007-04-27 16:14:42.000000000 -0400
+++ hping3-20051105/parseoptions.c	2007-04-27 16:14:52.000000000 -0400
@@ -32,7 +32,7 @@ enum {	OPT_COUNT, OPT_INTERVAL, OPT_NUME
 	OPT_ICMP_IPLEN, OPT_ICMP_IPID, OPT_ICMP_IPPROTO, OPT_ICMP_CKSUM,
 	OPT_ICMP_TS, OPT_ICMP_ADDR, OPT_TCPEXITCODE, OPT_FAST, OPT_TR_KEEP_TTL,
 	OPT_TCP_TIMESTAMP, OPT_TR_STOP, OPT_TR_NO_RTT, OPT_ICMP_HELP,
-	OPT_RAND_DEST, OPT_RAND_SOURCE, OPT_LSRR, OPT_SSRR, OPT_ROUTE_HELP,
+	OPT_RAND_DEST, OPT_RAND_SOURCE, OPT_LSRR, OPT_SSRR, OPT_3514, OPT_ROUTE_HELP,
 	OPT_ICMP_IPSRC, OPT_ICMP_IPDST, OPT_ICMP_SRCPORT, OPT_ICMP_DSTPORT,
 	OPT_ICMP_GW, OPT_FORCE_ICMP, OPT_APD_SEND, OPT_SCAN, OPT_FASTER,
 	OPT_BEEP, OPT_FLOOD };
@@ -114,6 +114,7 @@ static struct ago_optlist hping_optlist[
 	{ '\0', "rand-source",	OPT_RAND_SOURCE,	AGO_NOARG },
 	{ '\0', "lsrr",		OPT_LSRR, 		AGO_NEEDARG|AGO_EXCEPT0 },
 	{ '\0', "ssrr",		OPT_SSRR, 		AGO_NEEDARG|AGO_EXCEPT0 },
+	{ '\0', "evil",		OPT_3514,		AGO_NOARG },
 	{ '\0', "route-help",   OPT_ROUTE_HELP,		AGO_NOARG },
 	{ '\0', "apd-send",	OPT_APD_SEND,		AGO_NEEDARG },
 	{ '\0', "icmp-ipsrc",	OPT_ICMP_IPSRC,		AGO_NEEDARG|AGO_EXCEPT0 },
@@ -540,6 +541,9 @@ int parse_options(int argc, char **argv)
 						"strong source route");
 			ssr[0] = 137;
 			break;
+		case OPT_3514:
+			opt_3514 = TRUE;
+			break;
 		case OPT_ROUTE_HELP:
 			route_help();
 			break;
--- hping3-20051105/sendip.c.3514	2007-04-27 16:14:42.000000000 -0400
+++ hping3-20051105/sendip.c	2007-04-27 16:14:52.000000000 -0400
@@ -78,11 +78,13 @@ void send_ip (char* src, char *dst, char
 /* NetBSD */
 	ip->frag_off	|= more_fragments;
 	ip->frag_off	|= fragoff >> 3;
+	if (opt_3514)	ip->frag_off |= 1<<15;
 #else
 /* Linux */
 /* OpenBSD */
 	ip->frag_off	|= htons(more_fragments);
 	ip->frag_off	|= htons(fragoff >> 3); /* shift three flags bit */
+	if (opt_3514)	ip->frag_off |= (htons(1<<15));
 #endif

 	ip->ttl		= src_ttl;
--- hping3-20051105/usage.c.3514	2007-04-27 16:14:42.000000000 -0400
+++ hping3-20051105/usage.c	2007-04-27 16:14:52.000000000 -0400
@@ -57,6 +57,7 @@ void	show_usage(void)
 "  -G  --rroute     includes RECORD_ROUTE option and display the route buffer\n"
 "  --lsrr           loose source routing and record route\n"
 "  --ssrr           strict source routing and record route\n"
+"  --evil           set the RFC3514 IP header bit\n"
 "  -H  --ipproto    set the IP protocol field, only in RAW IP mode\n"
 "ICMP\n"
 "  -C  --icmptype   icmp type (default echo request)\n"

pgpLzvaC5MOt2.pgp
Description: PGP signature