# PaCkAgE DaTaStReAm AUBtocsin 1 372 # end of header 0707010000298c000081a4000050b7000000050000000139aee39200000166000000ac0000000300000000000000000000001200000003AUBtocsin/pkginfoPKG=AUBtocsin NAME=Auburn Univ. Engineering tocsin network scan detector ARCH=sparc,i386 VERSION=2.1 CATEGORY=system, security DESC=feather-weight intrusion detection; network scan/probe detector BASEDIR=/opt/local ROOT=/ VENDOR=Auburn Engineering Network Services HOTLINE=(205)844-2280 EMAIL=doug@eng.auburn.edu CLASSES=none sed PSTAMP=netman20000831180034 0707010000298b000081a4000050b7000000050000000139aee38d0000030c000000ac0000000300000000000000000000001100000003AUBtocsin/pkgmap: 1 372 1 d none $BASEDIR 0755 root sys 1 d none $BASEDIR/man 0755 root sys 1 d none $BASEDIR/man/man1m 0755 root sys 1 f none $BASEDIR/man/man1m/tocsin.1m 0644 root sys 7181 28374 967048243 1 d none $BASEDIR/sbin 0755 root sys 1 f none $BASEDIR/sbin/tocsin.i386 0755 root sys 19912 24936 967761240 1 f none $BASEDIR/sbin/tocsin.sparc 0755 root sys 23660 2462 967762828 1 f none $ROOT/etc/init.d/tocsin 0644 root sys 2510 51374 967762449 1 s none $ROOT/etc/rc2.d/S70tocsin=../init.d/tocsin 1 s none $ROOT/etc/rcS.d/K10tocsin=../init.d/tocsin 1 i acknowledgements 190 17399 967754601 1 i copyright 803 4369 967046531 1 i depend 158 13013 967046868 1 i pkginfo 358 30291 967762834 1 i postinstall 278 23085 967754090 1 i postremove 24 1985 967749505 1 i request 298 24733 967737048 07070100000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000b00000000TRAILER!!!0707010000298c000081a4000050b7000000050000000139aee39200000166000000ac0000000300000000000000000000000800000003pkginfoPKG=AUBtocsin NAME=Auburn Univ. Engineering tocsin network scan detector ARCH=sparc,i386 VERSION=2.1 CATEGORY=system, security DESC=feather-weight intrusion detection; network scan/probe detector BASEDIR=/opt/local ROOT=/ VENDOR=Auburn Engineering Network Services HOTLINE=(205)844-2280 EMAIL=doug@eng.auburn.edu CLASSES=none sed PSTAMP=netman20000831180034 0707010000298b000081a4000050b7000000050000000139aee38d0000030c000000ac0000000300000000000000000000000700000003pkgmap: 1 372 1 d none $BASEDIR 0755 root sys 1 d none $BASEDIR/man 0755 root sys 1 d none $BASEDIR/man/man1m 0755 root sys 1 f none $BASEDIR/man/man1m/tocsin.1m 0644 root sys 7181 28374 967048243 1 d none $BASEDIR/sbin 0755 root sys 1 f none $BASEDIR/sbin/tocsin.i386 0755 root sys 19912 24936 967761240 1 f none $BASEDIR/sbin/tocsin.sparc 0755 root sys 23660 2462 967762828 1 f none $ROOT/etc/init.d/tocsin 0644 root sys 2510 51374 967762449 1 s none $ROOT/etc/rc2.d/S70tocsin=../init.d/tocsin 1 s none $ROOT/etc/rcS.d/K10tocsin=../init.d/tocsin 1 i acknowledgements 190 17399 967754601 1 i copyright 803 4369 967046531 1 i depend 158 13013 967046868 1 i pkginfo 358 30291 967762834 1 i postinstall 278 23085 967754090 1 i postremove 24 1985 967749505 1 i request 298 24733 967737048 070701000029b3000041ed000050b7000000050000000239aee38e00000000000000ac0000000300000000000000000000000800000003install070701000029b4000081a4000050b7000000050000000139aec369000000be000000ac0000000300000000000000000000001900000003install/acknowledgementsSean Boran helped a lot with debugging and testing on various platforms and has provided the x86 binary for the package. the folks at secure-sol@parc.xerox.com provided lots of good tips. 070701000029b5000081a4000050b7000000050000000139a3f58300000323000000ac0000000300000000000000000000001200000003install/copyright(c) Copyright 1995, 2000 Doug Hughes All rights reserved. Redistribution and use in source and binary forms are permitted provided that this paragraph is duplicated in all such forms and that any documentation, advertising materials, and other materials related to such distribution and use acknowledge that the software was developed by Doug Hughes at Auburn University. THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. All contributed software is covered by this copyright and any persons contributing enhancements, modifications, patches, or other software are allowing their works to be covered. Credit is given in the source file where applicable. 070701000029b6000081a4000050b7000000050000000139a3f6d40000009e000000ac0000000300000000000000000000000f00000003install/dependP SUNWcar Core Archictecture, (Root) P SUNWkvm Core Architecture, (Usr) P SUNWcsr Core Sparc, (Root) P SUNWcsu Core Sparc, (Usr) P SUNWcsd Core Sparc Devices 070701000029c2000081a4000050b7000000050000000139aec16a00000116000000ac0000000300000000000000000000001400000003install/postinstall# Architecture neutral binary install # copy over proper binary; remove unnecessary one mv $PKG_INSTALL_ROOT/$BASEDIR/sbin/tocsin.`uname -p` $PKG_INSTALL_ROOT/$BASEDIR/sbin/tocsin rm $BASEDIR/sbin/tocsin.* ed -s /etc/init.d/tocsin < /tmp/tocsin.request export BASEDIR BASEDIR=`ckpath -Qartwy -h "This specifies the location where the binaries and manual pages for tocsin will be installed." -p "tocsin installation base directory: [$BASEDIR] " -d "$BASEDIR"` echo "BASEDIR=${BASEDIR}" >> $1 070701000029a1000041ed000050b7000000050000000439aee38d00000000000000ac0000000300000000000000000000000600000003reloc070701000029a8000041ed000050b7000000050000000439aee38d00000000000000ac0000000300000000000000000000000f00000003reloc/$BASEDIR070701000029a9000041ed000050b7000000050000000339aee38d00000000000000ac0000000300000000000000000000001300000003reloc/$BASEDIR/man070701000029aa000041ed000050b7000000050000000239aee38d00000000000000ac0000000300000000000000000000001900000003reloc/$BASEDIR/man/man1m070701000029ab000081a4000050b7000000050000000139a3fc3300001c0d000000ac0000000300000000000000000000002300000003reloc/$BASEDIR/man/man1m/tocsin.1m.TH tocsin 1m "22 Aug 2000" .\" Copyright 2000 - Doug Hughes, Auburn University .SH NAME tocsin - simple intrusion detection of network scanners .\" denote multiple entry points thus; makewhatis(8) will catch them .SH SYNOPSIS .B tocsin .RB "[\| " -dvITODh " \|]" .RB "[\| " -i .IR interface " \|]" .RB "[\| " -o .IR file " \|]" .IR port " .\|.\." .SH "DESCRIPTION" .LP .B tocsin is a very simple daemon that listens promiscuously to your network. It will watch for .IR port scans of any kind to the ports that you designate on the command line. .B tocsin will, by default, operate on the first network interface it finds on your machine (usually something like hme0). Because .B tocsin listens to the network promiscuously, it will detect all currently known scan tactics, and whatever new ones happen to come along. It doesn't matter if the person (or program) doing the scanning is doing a SYN, FIN, ACK, RST, Xmas, or any other type of scan. .LP All scan attempts are logged via .B syslog using facility \f3LOG_AUTH\f1, and level \f3LOG_NOTICE\f1. (see .B syslog man page). .SS "Port Descriptions" .IR Ports can be specified by protocol name (e.g. \f3tcpmux\f1, \f3discard\f1, \f3daytime\f1) . Any name listed in the \f3/etc/services\f1 file or services NIS map (if using NIS) is a valid option. .IR Ports can also be specified by number (e.g. 1, 9, 13, 31337) .SH OPTIONS The following options are supported: .TP 10 .B \-d Debug -- Dumps matching packets in hexadecimal format to standard output. .B tocsin will also run in the foreground, not fork into a background process. .TP .B \-D Destination Only -- Shows only scans of this network as a destination. If this flag is not specified, and you were watching for scans of rlogin and then tried to rlogin to another machine on a different network, the outgoing attempt to access rlogin would also be logged as a scan attempt. Without .B -D both incoming and outgoing scans are logged. .TP .B \-h Help -- Displays a brief usage summary. .TP .B \-I Invert -- Inverts the port matching conditions. All packets will be matched except those to the ports specified on the command line. (see .B EXAMPLES) .TP .BI \-o " file" Output -- Outputs all matched packets to a file in snoop v2 format. This file can then be further processed with a network analyzer such as .B ethereal or .B snoop. Snoop v2 packet format is defined in RFC 1761. .TP .B \-O IP Options -- In addition to the normal port scan detection, also shows any packets that have Internet Protocol Options set in the header. This can yield false positives, and is best left unused unless you have a specific purpose in mind. See a good IP book for a discussion of IP options such as .I "TCP/IP Illustrated" by Comer, or .I "Internetworking with TCP/IP" by Stevens. .TP .B \-T TCP Only -- Shows only TCP packets (ignore UDP and others). This flag isn't really of much use except for special situations. .TP .B \-v Verbose -- Shows additional warning messages and scan attempts to standard output. .SH DISCUSSION .LP Why should you use tocsin instead of .B NFR or .B snort? .B Tocsin is simple, easy to verify, and doesn't have lots of complex options or rules. It requires no particular third party libraries or dependencies. All you need is a binary, or the source and a C compiler. It does not depend on \f3libpcap\f1. It is designed to be a feather-weight scan detector engine. .LP .B Snort is less complex than .B NFR and has many more capabilities than tocsin. It is a midway point between the absolute simplicity of .B tocsin and the complete configurability of .B NFR. .B Snort is a light-weight rule-based intrusion detection system, but it does not have a port scan detection module. This is exactly what .B tocsin is, so in some ways they complement each other. .B Snort depends on \f3libpcap\f1 .LP .B NFR, is really designed to be embedded in an intrusion detection ``appliance''. It has a very complex language, but also a fair amount of pre-configured intrusion detection recipes. It's an industrial strength package with all of the plusses and minuses that this involves. .SH ERRORS If a service name given as text on the command line does not exist in any of the \f3services\f1 maps on the machine, an error will be indicated. .SH EXAMPLES .LP This example shows all scans of ports \f3tcpmux\f1, \f3daytime\f1, \f3shell\f1, 44, 66, 31337, and \f3ntp\f1. It also illustrates how service names and numbers can be mixed freely and how to save all the matched packets to an output file. .IP .B "example# tocsin -o /var/tmp/tocsin.snoop tcpmux daytime shell 44 66 31337 ntp" .LP The next example shows an inverted condition. All TCP-only services except those listed on the command line below will be detected and logged as scan attempts. Additionally, only scans of this network -- not from this network to anoother -- will be logged. .IP .B "example# tocsin -I -T -D rlogin shell ntp ftp ftp-cmd telnet 22" .LP This example will run on network interface hme1. (see .B ifconfig) .IP .B "example# tocsin -i hme1 31337 12345 12346" .SH FILES .nf .\" set tabstop to longest possible filename, plus a wee bit .ta \w'/etc/services 'u \fI/etc/services\fR service name to number matching .SH "SEE ALSO" .\" Always quote multiple words for .SH .BR syslogd (1m), .BR ifconfig (1m), .BR nsswitch.conf (4), .BR services (4), .BR pfmod (7m), .BR bufmod (7m), .BR dlpi (7P), .BR hme (7d), .BR if (tp), .BR if_tcp (tp), .BR www.snort.org, .BR www.nfr.net .SH NOTES .LP The .B -I flag should be used with extreme care. You should only consider using this flag on a sacrificial ``honeypot'' type machine. If you miss even a single service, you will get lots of false alarms. This machine should probably even be on its own VLAN (or at least in its own broadcast domain). Here is a suggested minimum set of ports to specify with .B -I .IP .BR smtp, .BR syslog, .BR "22 (ssh)," .BR "520 (RIP routing broadcasts)," .BR domain (DNS) .LP Alternates ports include .BR telnet, .BR ftp, .BR ftp-cmd, .BR "login (rlogin)," .BR "shell (rsh)," .BR "ntp (network time protocol)," .SH REFERENCES .LP RFC1700 (well known services) .LP RFC1761 (Snoop v2 packet capture format) .LP \fChttp://www2.merton.ox.ac.uk/\~security/nt-security-199905/0078.html\fR (trojan ports) .LP .I "TCP/IP Illustrated," Douglas Comer .LP .I "Internetworking with TCP/IP," W. Richard Stevens .SH AVAILABILITY .TP http://www.eng.auburn.edu/~doug (Tools link) .TP ftp://ftp.cerias.purdue.edu/pub/tools/unix/logutils/ .SH AUTHOR Doug Hughes, Auburn University. doug@eng.auburn.edu .SH HISTORY This program was developed as a follow-on for .B Klaxon (available at \f3Coast\f1 archive and now with several linux distributions). The problem with .B klaxon is that it will not detect any sorts of stealth scans. It will detect simple scans to simple services that can be implemented in \f3inetd.conf\f1 (for instance \f3rexec\f1). .LP .B Tocsin then was written totally in DLPI to get around these problems. It operates by pushing packet filters into the kernel for maximum efficiency. .B Tocsin was first conceived in 1995 and operates on SunOS4 and Solaris2 platforms. 070701000029ac000041ed000050b7000000050000000239aee38d00000000000000ac0000000300000000000000000000001400000003reloc/$BASEDIR/sbin070701000029ad000081a4000050b7000000050000000139aedd5800004dc8000000ac0000000300000000000000000000002000000003reloc/$BASEDIR/sbin/tocsin.i386ELF4I4 (44666666/usr/lib/ld.so.1SbF]L;^%Q7(PO!JI1`CMWBE[8>5=#43GAXNY\TZ9&K_aV" 2/<,0-+H$@:)?6SDRU.*'   ( P   + , @, 6677777o X' #0(" 0@5=D;M>RYp`@e;!j 6* ;p+#  P60 ;&-' :AGNT(j ` e;!mPt~`>`0> P@7 ,) p 6 @, T  %`+2) @G, M["dsocketgetopt_startAttachDeviceread_mcountatoiisdigitsetuid_environ_endstrdupgetpidfork_iob__register_frame_info_GLOBAL_OFFSET_TABLE_signalatexitexitopenlogdlinforeqoptoptmallocsprintfputs_initsetpgrpgetservbynamestrncatstrncpygethostbyaddr_DYNAMICprintf__iobgetmsgBindProtocolstrcatioctlsetsidwriteAcknowledgepollenvironperror__fpstartinet_ntoaoptindcloseopenoptarg__deregister_frame_infostrcmpgettimeofdayputmsg_edata_PROCEDURE_LINKAGE_TABLE_memsetPromModestrcpy_etext_lib_versionmainhtonssyslogGetMACAddressstrstr_finigetservbyport_cleanupfprintflibnsl.so.1SUNW_0.7libsocket.so.1SUNW_0.7libc.so.1SUNW_0.7libnsl.so.1libsocket.so.1libc.so.1l (= x (= (= $6N,6*>M;1;$;=>J6`6-6H 6.(6N06*46<86(<6G@6KD6'H66L6BP6aT6[X64\6`6Ad62h6Tl69p68t6Lx6!|6O6Z6V6&6C66]6"6_676/6,6#6E66P6:6I636@6Q6>5 6%6%6h%6h%6h% 6h%(6h %06h(%46h0%86h8p%<6h@`%@6hHP%D6hP@%H6hX0%L6h` %P6hh%T6hp%X6hx%\6h%`6h%d6h%h6h%l6h%p6h%t6h%x6hp%|6h`%6hP%6h@%6h0%6h %6h%6h%6h%6h%6h%6h%6h%6h %6h(%6h0%6h8p%6h@`%6hHP%6hP@%6hX0%6h` %6hhjjRt h6th,ET;RU RPM PjUS[#uDPЋ8u⃻tPǃ]ÐUS[t#[ÐUS[\#$tPPN]ÐUS[$#[Uh`,-jU}ul}h(.j~ jj j jPj h`.h(;US]57Sh.j j/UujUWVSjjj؃}h.EPhWi@S}h.EPEE@MMPPhiSZ } h.:;U}*]42/t B;U|3e[^_U$SE UM]EUM]EPhSu|E]ÐU|WVSDžDž`6/:/fjjPEPGDžhh5>P7}h0jmjh757=;=it=ou5;h15;h+1Mh0E PUR=M9 >uh`1 E9>>U h1SSt7@8rh1S&t7@8Eh1StSh1ej+7@8PjS0PЃu&utSh2S2.С7@8S7@f48jjSQЃu$uSh@2ypr7@Rf8SС7@8utVh2%7@87>M9 >􋅀Pj%jjh2 hjhj  hjmhj^ hjL􍝠SU ha7Sh2jfDž |jjPfu=utʃh2hPPuth2=7t +ljDžjPKjS57 QP57kt +PP57G$%=~ DžjjPujPP h0P>3fE$=t@=t=tQ=/tbt22{22fR282&Ph2|P=t =t |h2WXD /$?؃ th2W3th3|Pth 3|Rth3|Qth3|Pth3|R|Ћ|D)3󫃽~."%P%Ph3P1tC=7u:PRP|PpPh@3-PRPV|RPh3P uPj% 3;}Auh3DP;Ph3;|Ńh3UpVSuU EE EPEEjjEPV} h4IELE]]EPjEPV|h4jSh4_3e[^ÐU|WVS}E UM]uEEEUfMf]uEEEjjEPW?} h4JELE]]EPjEPW|h4jS!h43x[^_ÐUS]E 9tOuh4h(;;us sh 5h(;3h`5h(;3]ÐUpVSuU EEEPEEEjjEPV#} h5JELE]]EPjEPV|h5jSh53e[^ÐUpVS]u E1E@EEEEjjEPSs} h55ELE EEEPjEPSL}h535h5j2EPAu3MU D fFe[^UWVSu} DžEEEDžjEPV} h5;EEEPjEPVf}h533h5jS\u3MS8 D fG[^_UVS[k t Ѓ>u[^US[8 [ usage: tocsin [-i ] [-o ] [-dDhIOTv] service [service] [service] [...] -d debug and dump packet in hex -o dump packet in snoop format to -h this message -v verbose mode -I invert service rules (all EXCEPT ...) -T TCP packets only - ignore UDP -O Show 'anything' with IP_OPTIONS set in header -D Only show stuff coming 'to' this destination network -i (or use first non-loopback system interface found) couldn't go into backgroundDebug mode enabled. Not forking. Not sysloging... tocsin stopping after receiving signal %dThere was some trouble figuring out the default interface. Try using the -i flaglo0/dev/%s couldn't be opened. Try the -i flag? Couldn't attach a device with that particular instance: %s Bad interface name - %s binding deviceioctl SIOCGIFCONFioctl SIOCGIFNETMASKDLIORAWRMSGDpfmodcouldn't push packet filterpushing packet filterbufmodpushing timeoutsetting flagstocsin: setting chunksizetocsin: setting truncationI_FLUSHi:dITODho:vCouldn't open output file for writingtocsin: option requires an argument -- %c tocsin: illegal option -- %c tocsin: Insufficient arguments :t:u:tocsin: syntax error in service name %s, should be :t or :uWarning: service name undefined for %s Warning: skipping unknown service %s matching SYN requests to port %d tocsinStarting tocsin 2.2 on %sinterrupted poll Read got nothing ICMPTCP: UDPGRE%d(URG|ACK|PSH|RST|SYN|FIN)(IP_OPTIONS! [%d,%d])ALERT: host %s probing service: %s [%s] @ %s %s ALERT: host %s IP (%s) probing %d@%s (Opts: %s) %2.2x%2.2x 0L@Attach Device:Attach Device ack!DL_ATTACH_REQBind Protocol:Bind Protocol ACK!DL_BIND_REQdlpi: %s is nacked. dlpi: dlpi_errno %d dlpi: unix_errno %d dlpi: spiritual primitive %d. Prom Mode:Prom Mode ack!DL_PROMISCON_REQdlphysaddrreq: putmsgEthernet address ack!DL_PHYS_ADDR_REQputmsg: dlinfo_reqDL_INFO_REQ6&6FVfv&6FVfv&6FVfv + ,   o<o opP  oo67snoop   ( P   + , @, 66777777>"-  <7@7N7Z  p7 7  77 7777777% + 25 < G \? e9 n8xX' + + 7+ 777o X' *0/" ?@DLS;\>ahpo@t;!y 6* ;p+#  P%6.05;;B' OV\ci(j u z;!P`>`0> P@7 ,) p!6 (@, 5T  :`@G) U\, bp"ytocsincrt1.scrti.svalues-Xa.ccrtstuff.cgcc2_compiled.p.3__DTOR_LIST__completed.4__do_global_dtors_aux__EH_FRAME_BEGIN__fini_dummyobject.11frame_dummyinit_dummyforce_to_data__CTOR_LIST__tocsin.cgcc2_compiled.SnoopFileHeaderofilenportsInvertIP_OptionsDest_OnlyTcp_OnlyusagedaemonsignalledFatalErrorFindDefaultInterfacestrioctlinit_nitscanarraymydlpi.cgcc2_compiled.crtstuff.cgcc2_compiled.__do_global_ctors_aux__CTOR_END__init_dummyforce_to_data__DTOR_END____FRAME_END__crtn.osocketgetopt_startAttachDeviceread_mcount_START_atoiisdigitsetuid_environ_endstrdupgetpidfork_iob__register_frame_info_GLOBAL_OFFSET_TABLE_signalatexitexitopenlogdlinforeqoptoptmallocsprintfputs_initsetpgrp_END_getservbynamestrncatstrncpygethostbyaddr_DYNAMICprintf__iobgetmsgBindProtocolstrcatioctlsetsidwriteAcknowledgepollenvironperror__fpstartinet_ntoaoptindcloseopenoptarg__deregister_frame_infostrcmpgettimeofdayputmsg_edata_PROCEDURE_LINKAGE_TABLE_memsetPromModestrcpy_etext_lib_versionmainhtonssyslogGetMACAddressstrstr_finigetservbyport_cleanupfprintfGNU C crt1.sas: Sun WorkShop 6 99/06/03GNU C crti.sas: Sun WorkShop 6 99/06/03@(#)SunOS 5.8 Generic February 2000GCC: (GNU) 2.95.2 19991024 (release)as: Sun WorkShop 6 99/06/03GCC: (GNU) 2.95.2 19991024 (release)as: Sun WorkShop 6 99/08/16GCC: (GNU) 2.95.2 19991024 (release)as: Sun WorkShop 6 99/08/16GCC: (GNU) 2.95.2 19991024 (release)as: Sun WorkShop 6 99/06/03GNU C crtn.oas: Sun WorkShop 6 99/06/03ld: Software Generation Utilities - Solaris-ELF (4.0)O <F4.interp.hash.dynsym.dynstr.SUNW_version.rel.got.rel.bss.rel.plt.plt.text.init.fini.rodata.got.dynamic.data.ctors.dtors.eh_frame.bss.symtab.strtab.comment.stab.index.shstrtab.stab.indexstrvalues-Xa.cXa ; O ; V=3.1 ; R=WorkShop Compilers 5.0 98/12/15 C 5.0/on28-builds/on28_38c/usr/src/lib/libc/i386; /opt/SUNWspro/SC5.0/bin/../SC5.0/bin/cc -O -Xa -D_REENTRANT -Di386 -Iinc -I../inc -DTEXT_DOMAIN='\"SUNW_OST_OSLIB\"' -I/on28-builds/on28_38c/proto/root_i386/usr/include -c -o values-Xa.o ../port/gen/values-Xa.c -W0,-xp     o  `-   6 ( ( (? P P p HM*S++#Y,,_@,@, g66l66u770{77777777 7 J@iEDG$ hG>HO 070701000029ae000081a4000050b7000000050000000139aee38c00005c6c000000ac0000000300000000000000000000002100000003reloc/$BASEDIR/sbin/tocsin.sparcELFP4X 4 (445N5N5P5P0 77/usr/lib/ld.so.1ShJbP=df&Tc9!)SR"NMXaEQ[DI^L@6`?$84KC\]_WH;'OegZ# +530>-1.:,%B<G*A7VFU2Y/( \  @P -4 - - - .5P5T78X88:6  %6,P 3( @7(E6J6R7Y8b>g6n5u5z=@! 5P7556,T =687X6-4P 5866h6\7@$7-54=@:7A)h N7dU6,[5b6h*,| t5z 78!587L>56t>6P747|:5T6D * )605N7- D  I6P+d ^6e7pl6s8-P 6 5socket__1cH__CimplKcplus_fini6F_v_getopt_startAttachDevicereadatoiisdigitsetuid_environ_endstrdupgetpidfork_iob_ex_register_GLOBAL_OFFSET_TABLE_signalatexitexitopenlogdlinforeqoptoptmallocsprintfputs_initsetpgrp___Argvgetservbynamestrncatstrncpygethostbyaddr_DYNAMICprintf__iobgetmsgBindProtocolstrcatioctlsetsidwriteAcknowledge_exit_ex_deregisterpollenvironperror__cg92_usedinet_ntoaoptindcloseopenoptargstrcmpgettimeofdayputmsg_edata_PROCEDURE_LINKAGE_TABLE_memset__fsr_init_valuePromModestrcpy_etext_lib_versionmainsyslogGetMACAddressmemcpystrlenstrstr__environ_lock_finigetservbyport__1cH__CimplKcplus_init6F_v_fprintflibnsl.so.1SISCD_2.3libsocket.so.1SISCD_2.3libc.so.1SUNW_0.7libnsl.so.1libsocket.so.1libc.so.1 zt zt =(8dH8`+8\8Xf>Q=2=?>N5.5/5G5>5)5O5(575D5g5K6^656 6,C6836DW6PR6\;6h:6tP6"6`66Z6'6E6b6#6e69607-7$7I7(!74S7@<7LM7X47dB7pa7|T7@ @D"`, @'$+`-` `?-) - =--% # @I*K@I'!@@{@I @I!㿠K@I K@I @I 㿠 @I K @I@I @I @I@I @IL@I@I@H  @H  㿠@HА @I@H 㿠@H@Hۑ 㿐  @H  W@H 6P@H( @H ('0'@Hڐ 6ϐ L 8@H  ` &. 㿐''''@H 6h$' `'K܈  (L<@H  @H N 0N 0 &N@H@H  :@H@  9(   @1 8  @HY  @H] %''0@HN 1  @HP "  @HF  .@HK 0@H. '@H @B ? h  1#@H    @H"#@H   ̀ 77 7$7 7 77Ȁ 333$33 3 3 33333 $ $ `( "32 3` 3 3 `@&33  3 3$333 Ā 3  3/33%33"@#0Ԅ8/ ''؄"'܄'@G #3?@Gy'؄b 'Ԅ '̒'܄''@Gk xb'Ԅ  'ؔԒ'Ȅ''@G\ pb'Ԅ'ؒ''@GP kb'Ԅ'ؒ''@GD f#@G>  gLL@@G@G  ÐLl@G @G?ÐL@GL@G@F? L@G @F ̴ L@G@F L@F@F?1L@F@Fې L@F@FԐ L@F,@F͐ u#L@FD@FƐ?bL@FܐT@F bL@FՐd@F?bL@Fΐ@F?#@FȐ@F  K~  ///K (K  ݈  (L@Fǒ?"}L$`d`O `?V`D-`I"!e`O,`T"^`o `d.`h `i"%S`o*`v"& L;H C̆ >Ȇ 8Ć 2@F- *(1@Fy̒#@Fg! &  @Fq !io2 !L!@FL@F@FN?`d"ȀL@F0"ȀL"ȰP`  (@F6  ( ( MLT@F(  ( ( MLX@F ( ( M@F -@E@F  L@E@E( ( @E ( ( @Eؐ( (0! @E  "0`L@E*` ! (  (0@E ( ( L@Er܉(@!(-! `&``&k`A  @E %Dܒ@E @E @E @E  )@E ܢ:@Eaܒ@EO  Ԃ@ `0`Ԓ @@E?ڂ@P`΀ Ԑ@Ԃ@@Ew%  L@E41 4@ ` `  ` `  Ă@ `Ȃ@ `̂@@EO  @@E*  Ԃ@@E#`  @E @` " (@@@D  @@E!  @@E~@@Dڔ  ~@`@Dє!~ @ @DÔ @5`@`@ 2~/"#*L~@@DH (,~L@ @DP ,L~ @@DX ,~L@@D\  ,~,@L@D` ܂@"   @ @ZL~@@Dd|@ @   L~@@Dh   L~@@Dp   L~@@Dvx   L~@@Dk   L~@@D`  ~L@@DV~@@DT~@* @D ` @`8L@D8~@@@C  "~@`#d@Dd ~#\@~L@~@@D  ~@`#`@D` ~#\@L~@~@@C   ~@@C % KMմ@M <($2 @Cd  @C_<M@CY() &L@CQ !L@Ca@CD  L\@CD@C< yM8 ' ' ' ''@C M@CA,  L'''@C M@C0< 0@5 0 '' '' 7'7''@Cu M@CP  L'ܐ'ܖ'@Cg M@B` @@ 㿠 !M@Bt M@B  M@B  8 ' ''  '''@C' M@B؁  L'''@C M@B L 8 1' '' ' ' '@B M@B  L' ''@B M@B  ` 2   @B   㻈' '' ' '@B M@BW$ $'''@B M@BG8 tL    8@B[   㿠@ 0??@@㿠@ ??@@/dev/tocsin version 2.1.1.2 usage: tocsin [-i ] [-o ] [-dDhIOTv] service [service] [service] [...] -d debug and dump packet in hex -o dump packet in snoop format to -h this message -v verbose mode -I invert service rules (all EXCEPT ...) -T TCP packets only - ignore UDP -O Show 'anything' with IP_OPTIONS set in header -D Only show stuff coming 'to' this destination network -i (or use first non-loopback system interface found) couldn't go into backgroundDebug mode enabled. Not forking. Not sysloging... lo0%s couldn't be opened. Try the -i flag? Couldn't attach a device with that particular instance: %s Bad interface name - %s binding deviceioctl SIOCGIFCONFioctl SIOCGIFNETMASKDLIORAWRMSGDcouldn't push packet filterpushing packet filterpushing timeoutsetting flagstocsin: setting chunksizetocsin: setting truncationI_FLUSHi:dITODho:vCouldn't open output file for writingtocsin: option requires an argument -- %c tocsin: illegal option -- %c i:dITODho:vtocsin: Insufficient arguments :t:u:tocsin: syntax error in service name %s, should be :t or :uWarning: service name undefined for %s Warning: skipping unknown service %s matching SYN requests to port %d interrupted poll Read got nothing ICMPTCP: UDPGRE%d(URG|ACK|PSH|RST|SYN|FIN)(IP_OPTIONS! [%d,%d])ALERT: host %s probing service: %s [%s] @ %s %s ALERT: host %s IP (%s) probing %d@%s (Opts: %s) %2.2x%2.2x Attach Device:Attach Device ack!Bind Protocol:Bind Protocol ACK!dlpi: %s is nacked. dlpi: dlpi_errno %d dlpi: unix_errno %d dlpi: spiritual primitive %d. Prom Mode:Prom Mode ack!dlphysaddrreq: putmsgEthernet address ack!putmsg: dlinfo_reqEthernet address ack!700<0H0T0`0l0x00000000000000 0,080D0P0\0h0t0000000000000~0{0x(0u40r  -4 - \ " oo o@ p oo5Tllsnooptocsin stopping after receiving signal %dThere was some trouble figuring out the default interface. Try using the -i flagThere was some trouble figuring out the default interface. Try using the -i flagThere was some trouble figuring out the default interface. Try using the -i flagpfmodbufmodtocsinStarting tocsin 2.1.1.2 on %sDL_ATTACH_REQDL_BIND_REQDL_PROMISCON_REQDL_PHYS_ADDR_REQDL_INFO_REQ \  @P -4 - - - .5P5T78X88:d>8h- &P 078EQZ8j8p8w8~888: $ D ,  ,0 \< \ 8x - -4  6 ' D6KP R( _7(l6q6y78>655=@! 5P7556,T =687X6 -4P 58%636h;6\C7@Q7Z5a=@g7n)h {7d6,56*,| 5 78!587L>56t>6P74 7|:5T56D<M* V6]5Nd- q  v6}+d 67p68-P 6 5tocsincrti.s_ex_shared0_ex_range0_ex_text0crt1.s__crt_scratchvalues-Xa.ctocsin.cSnoopFileHeaderofilenportsInvertIP_OptionsDest_OnlyTcp_OnlyscanarrayusagedaemonsignalledFatalErrorFindDefaultInterfacestrioctlinit_nitmydlpi.ccrtn.s_ex_shared1_ex_range1_ex_text1socket__1cH__CimplKcplus_fini6F_v_getopt_startAttachDeviceread_START_atoiisdigitsetuid_environ_endstrdupgetpidfork_iob_ex_register_GLOBAL_OFFSET_TABLE_signalatexitexitopenlogdlinforeqoptoptmallocsprintfputs_initsetpgrp___Argv_END_getservbynamestrncatstrncpygethostbyaddr_DYNAMICprintf__iobgetmsgBindProtocolstrcatioctlsetsidwriteAcknowledge_exit_ex_deregisterpollenvironperror__cg92_usedinet_ntoaoptindcloseopenoptargstrcmpgettimeofdayputmsg_edata_PROCEDURE_LINKAGE_TABLE_memset__fsr_init_valuePromModestrcpy_etext_lib_versionmainsyslogGetMACAddressmemcpystrlenstrstr__environ_lock_finigetservbyport__1cH__CimplKcplus_init6F_v_fprintf <S4* <S4cg: WorkShop Compilers 5.0 99/12/10 Compiler Common 5.0 Patch 107357-07@(#)stdio.h 1.49 97/05/09 SMI@(#)feature_tests.h 1.13 97/06/26 SMI@(#)va_list.h 1.6 96/01/26 SMI@(#)stropts.h 1.9 96/04/26 SMI@(#)stropts.h 1.32 97/03/03 SMI@(#)types.h 1.51 97/05/06 SMI@(#)isa_defs.h 1.11 97/03/21 SMI@(#)machtypes.h 1.11 96/04/29 SMI@(#)int_types.h 1.4 96/09/25 SMI@(#)select.h 1.11 96/06/20 SMI@(#)time.h 2.52 96/11/15 SMI@(#)time.h 1.25 96/03/12 SMI@(#)siginfo.h 1.39 96/06/28 SMI@(#)machsig.h 1.12 96/04/29 SMI@(#)conf.h 1.53 97/05/09 SMI@(#)t_lock.h 1.43 97/04/04 SMI@(#)machlock.h 1.15 97/04/04 SMI@(#)sleepq.h 1.19 97/04/04 SMI@(#)turnstile.h 1.30 97/04/23 SMI@(#)param.h 1.48 97/06/26 SMI@(#)unistd.h 1.29 96/06/05 SMI@(#)pirec.h 1.12 97/03/14 SMI@(#)mutex.h 1.17 97/04/04 SMI@(#)rwlock.h 1.5 97/04/04 SMI@(#)semaphore.h 1.4 94/07/29 SMI@(#)condvar.h 1.8 97/03/14 SMI@(#)errno.h 1.14 95/10/30 SMI@(#)errno.h 1.16 95/07/04 SMI@(#)netdb.h 1.18 96/09/24 SMI@(#)in.h 1.13 96/11/01 SMI@(#)stream.h 1.73 97/05/29 SMI@(#)vnode.h 1.70 98/08/13 SMI@(#)cred.h 1.20 96/12/06 SMI@(#)uio.h 1.28 97/06/27 SMI@(#)resource.h 1.21 96/06/03 SMI@(#)seg_enum.h 1.3 95/12/22 SMI@(#)poll.h 1.24 97/04/18 SMI@(#)strmdep.h 1.8 92/07/14 SMI@(#)model.h 1.1 96/09/24 SMI@(#)byteorder.h 1.11 96/09/08 SMI@(#)poll.h 1.7 92/07/14 SMI@(#)ioctl.h 1.9 92/07/14 SMI@(#)file.h 1.49 97/03/14 SMI@(#)signal.h 1.50 97/04/16 SMI@(#)socket.h 1.30 97/01/20 SMI@(#)netconfig.h 1.13 95/02/24 SMI@(#)sockio.h 1.15 96/11/11 SMI@(#)ioccom.h 1.10 92/07/14 SMI@(#)syslog.h 1.10 92/07/14 SMI@(#)if.h 1.8 96/11/06 SMI@(#)memory.h 1.8 92/07/14 SMI@(#)string.h 1.19 96/03/12 SMI@(#)dlpi.h 1.18 96/09/27 SMI@(#)pfmod.h 1.4 93/02/04 SMI@(#)bufmod.h 1.6 93/09/08 SMI@(#)ethernet.h 1.10 94/08/08 SMI@(#)fcntl.h 1.37 96/07/07 SMIacomp: WorkShop Compilers 5.0 99/12/04 C 5.0 patch 107289-05cg: WorkShop Compilers 5.0 99/12/10 Compiler Common 5.0 Patch 107357-07@(#)stdio.h 1.49 97/05/09 SMI@(#)feature_tests.h 1.13 97/06/26 SMI@(#)va_list.h 1.6 96/01/26 SMI@(#)types.h 1.51 97/05/06 SMI@(#)isa_defs.h 1.11 97/03/21 SMI@(#)machtypes.h 1.11 96/04/29 SMI@(#)int_types.h 1.4 96/09/25 SMI@(#)select.h 1.11 96/06/20 SMI@(#)time.h 2.52 96/11/15 SMI@(#)time.h 1.25 96/03/12 SMI@(#)siginfo.h 1.39 96/06/28 SMI@(#)machsig.h 1.12 96/04/29 SMI@(#)ioctl.h 1.9 92/07/14 SMI@(#)file.h 1.49 97/03/14 SMI@(#)t_lock.h 1.43 97/04/04 SMI@(#)machlock.h 1.15 97/04/04 SMI@(#)sleepq.h 1.19 97/04/04 SMI@(#)turnstile.h 1.30 97/04/23 SMI@(#)param.h 1.48 97/06/26 SMI@(#)unistd.h 1.29 96/06/05 SMI@(#)pirec.h 1.12 97/03/14 SMI@(#)mutex.h 1.17 97/04/04 SMI@(#)rwlock.h 1.5 97/04/04 SMI@(#)semaphore.h 1.4 94/07/29 SMI@(#)condvar.h 1.8 97/03/14 SMI@(#)socket.h 1.30 97/01/20 SMI@(#)uio.h 1.28 97/06/27 SMI@(#)netconfig.h 1.13 95/02/24 SMI@(#)if.h 1.8 96/11/06 SMI@(#)fcntl.h 1.37 96/07/07 SMI@(#)sockio.h 1.15 96/11/11 SMI@(#)ioccom.h 1.10 92/07/14 SMI@(#)pfmod.h 1.4 93/02/04 SMI@(#)stropts.h 1.32 97/03/03 SMI@(#)conf.h 1.53 97/05/09 SMI@(#)ethernet.h 1.10 94/08/08 SMI@(#)dlpi.h 1.18 96/09/27 SMI@(#)in.h 1.13 96/11/01 SMI@(#)stream.h 1.73 97/05/29 SMI@(#)vnode.h 1.70 98/08/13 SMI@(#)cred.h 1.20 96/12/06 SMI@(#)resource.h 1.21 96/06/03 SMI@(#)seg_enum.h 1.3 95/12/22 SMI@(#)poll.h 1.24 97/04/18 SMI@(#)strmdep.h 1.8 92/07/14 SMI@(#)model.h 1.1 96/09/24 SMI@(#)byteorder.h 1.11 96/09/08 SMI@(#)netdb.h 1.18 96/09/24 SMI@(#)ctype.h 1.28 96/08/21 SMIacomp: WorkShop Compilers 5.0 99/12/04 C 5.0 patch 107289-05ld: Software Generation Utilities - Solaris-ELF (4.0).interp.hash.dynsym.dynstr.SUNW_version.rela.ex_shared.rela.bss.rela.plt.text.init.fini.exception_ranges.rodata.rodata1.got.plt.dynamic.ex_shared.data.data1.bss.symtab.strtab.stab.index.comment.shstrtab.stab.indexstrtocsin.cXa ; O ; V=3.1 ; R=WorkShop Compilers 5.0 99/12/04 C 5.0 patch 107289-05/home/ens/doug/src/custom/tocsin; /opt/SUNWspro5.0/bin/../SC5.0/bin/cc -O -DLOG_LEVEL='LOG_AUTH|LOG_NOTICE' -DPKTSIZE='96' -DSYSV -DSVR4 -c tocsin.c -W0,-xpmainmydlpi.cXa ; O ; V=3.1 ; R=WorkShop Compilers 5.0 99/12/04 C 5.0 patch 107289-05/home/ens/doug/src/custom/tocsin; /opt/SUNWspro5.0/bin/../SC5.0/bin/cc -O -DLOG_LEVEL='LOG_AUTH|LOG_NOTICE' -DPKTSIZE='96' -DSYSV -DSVR4 -c mydlpi.c -W0,-xp   \ \"o `- 0 =0 G@@ QPPW-4-4P]--Pc--u--.}..F5P5P5T5TD 778X8X(88P88::P:p;BFT G,U0V$070701000029af000041ed000050b7000000050000000339aee38d00000000000000ac0000000300000000000000000000000c00000003reloc/$ROOT070701000029b0000041ed000050b7000000050000000339aee38d00000000000000ac0000000300000000000000000000001000000003reloc/$ROOT/etc070701000029b1000041ed000050b7000000050000000239aee38d00000000000000ac0000000300000000000000000000001700000003reloc/$ROOT/etc/init.d070701000029b2000081a4000050b7000000050000000139aee211000009ce000000ac0000000300000000000000000000001e00000003reloc/$ROOT/etc/init.d/tocsin#!/sbin/sh # # /etc/init.d/tocsin - Start/Stop the tocsin daemon # # Aug 20 2000 Doug Hughes, Auburn University Engineering # Copyright 2000 # # this script should probably be run at run level 2 # PATH=/usr/bin:/bin:/usr/sbin LOGFILE=/var/tmp/tocsin.snoop PROG=BASEDIR/sbin/tocsin # Here are the ports that are monitored for now. # Add or remove from this list as you wish. # # 3133[78] - back orifice # 12345/12346 - netbus # 143/943 - IMAP # 1524 - ingreslock - also used by some trojans # 109 - pop2 # 137/139 - samba/nbt stuff # 3306 - mysql # 98 - linuxconf # 6667/7000 - ircd # 24 - unregistered # 2001 - trojan cow # 2023 - ripper # 1243 - Sub7 trojan # Some other suggestions # # 67/68 - bootp/dhcp probes # 161/162 (snmp) - could be triggered by automatic network discovery tools # 177 - xdmcp - could be triggered by XDM broadcasts (for anybody using this) # 194/994 - irc # 389 - ldap (more and more legitimate stuff) # 80/443 - web server # 110 - pop3 # 512 biff/comsat # 514 - rsh # 515 - lpd/lpr # 2049 - NFS # 6000-6010 - X windows # 25 - VERY risky - do not enable if you want to send or receive email case $1 in 'start') if [ -f $PROG ]; then # Simple example: # $PROG rje courier link tcpmux # Monitor lots of ports, but only TCP, and only this network # as a destination for scans # $PROG -T -D tcpmux telnet login exec 31337 31338 12345 12346 24 143 943 1524 109 137 139 3306 98 6667 7000 2001 2023 1243 # Monitor lots of ports and log in snoop format for later analysis # $PROG -o $LOGFILE -D tcpmux telnet login exec 31337 31338 12345 12346 24 143 943 1524 109 137 139 3306 98 6667 7000 2001 2023 1243 # Include directives to choose UDP or TCP in order to eliminate # possible false positives # $PROG -o $LOGFILE -D tcpmux telnet login exec 31337:t 31338:t 12345:t 12346:t 24 67:u 143:t 943:t 1524:t 109:t 515:t 3306:t 98:t 6667:t 7000:t 2001:t 2023:t 2049:u # DMZ example - monitor fewer ports above 1024, particularly # where NAT may be in use -- to avoid false positives. # To see all traffic passing through, eliminated -D flag $PROG -o $LOGFILE tcpmux telnet login exec 31337:t 31338:t 12345:t 12346:t 24 143 943:t 109 67:u 68:u 515:t 98:t 6667:t 7000:t fi ;; 'stop') pid=`/usr/bin/ps -e | grep tocsin | /usr/bin/sed -e 's/^ *//' -e 's/ .*//'` if test "$pid" then kill $pid fi ;; *) echo "usage: $0 { start | stop }" ;; esac 07070100000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000b00000000TRAILER!!!