Friday, September 28, 2007

Fl0p: Decoding the Evil Genius Mindset

People who come from Unix background always have the real guts, and I bet you know what is RTFM all about. In fact it is Read The Fun Manual when you don't know how to use the commands or understand the technical section, sounds polite isn't it ;P

Thanks to one of my great friend who has observed the Fun thing about fl0p which created by one of the man who I really respect - Michal Zalewski. In fact my friend also fixed the packet retransmission handling for fl0p in order to identify the traffic flows more accurately especially in busy networks. We also figure there's error in the command line option where the -q for packet timing threshold is in fact -T, the -q is used for quiet mode instead. We are not too sured to make the patch publically available yet but we hope to fix more things before we do so.

So what's this fun thing about, let's look at the fl0p command lines -

shell>./fl0p -h
Usage: ./fl0p [ -f file ] [ -i device ] [ -s file ] [ -o file ]
[ -u user ] [ -e ms ] [ -T ms ] [ -FUKrqvpdtl ] [ 'filter rule' ]
-f file - read fingerprints from file
-i device - listen on this device
-s file - read packets from tcpdump snapshot
-o file - write to this logfile (implies -t)
-u user - chroot and setuid to this user
-e ms - pcap capture timeout in milliseconds (1)
-T ms - packet timing threshold in milliseconds (400)
-F - disable fuzzy matching on all signatures
-U - display fingerprints for unidentified streams
-K - do not display known signatures (implies -U)
-r - resolve host names (not recommended)
-q - be quiet - no banner
-v - enable support for 802.1Q VLAN frames
-p - switch card to promiscuous mode
-d - daemon mode (fork into background)
-t - add timestamps to every entry
-l - output concise 1-line output

'Filter rule' is an optional pcap-style BPF expression (man tcpdump).

The command line looks innocent as it is. But what if I do -

shell>./fl0p -t -f /usr/local/etc/fl0p.fp -i eth0 -FUK -u geek00l

So this can be interpreted as F-U-tu.....-K u geek00l! Maybe we should implement another command line argument which is -C. Or Zalewski must have something in his mind to implement for -C to the completion of fl0p.

Peace (;])

No comments: