RID - Remote Intrusion Detection
--------------------------------

Purpose: To use intrusion fingerprints to track down compromised hosts.
Scope:   TCP/UDP/ICMP (No fragmentation reassembly)
Specs:	 Program can create somewhat arbitrary UDP/ICMP/TCP packets/streams
	 and send them to a range of hosts.  It also listens promiscuously
	 for predefined intrusion "fingerprints".

Language: It's been a while since I've done BNF, so here's a not so 
	  scientific rendition of the config file language:
          begin <ID>
             send <PROTOCOL> <OPTIONS>
             recv <PROTOCOL> <OPTIONS> nmatch = <num>
          end <ID>
	
	  PROTOCOL=: TCP | UDP | ICMP
	  OPTION =: ICMP_OPTIONS | UDP_OPTIONS | TCP_OPTIONS
	  ICMP_OPTIONS =: seq=<sequence> | id=<id> | type=<ICMP type>
			  | code=<ICMP CODE> | data="<string>"
	  UDP_OPTIONS =: sport=<port> | dport =<port> | data="<string>"
			  | code=<ICMP CODE> | data="string"
	  TCP_OPTIONS=: NOT IMPLEMENTED YET
	  Note: nmatch is the number of matches in "recv" that need
		to occur to generate a positive that a host is
		infected.

OS:	Currently only tested on Solaris 2.7.  Should work on all modern
	Solaris.  Linux interoperability is built in, but may need some
	tweaking (esp. w/ bison/flex).

Abstract:
Hackers (I use the term for ease of reference, not because it's necessarily
accurate) who compromise multiple machines are forced to deal with the
same issues that administrators of distributed networks encounter.  They
must remember the passwords set on various facilities, they must remember
which hosts are compromised, they must remember which ports their backdoors
are on, etc.  After a compromise, this information can often be turned into
a "fingerprint" of the intrusion.  This tool is designed to be capable
of accurately specifying this "fingerprint" with little knowledge of 
network programming.

This tool *does* require some understanding of TCP/IP.  

Current shortcomings:
 - You can't set the source port on UDP because that would require 
   unportable raw sockets.

 - It doesn't support TCP yet, though that is coming.

Similar Works:
This tool is based off an extension of ngrep (network grep).  It is
different because it extends ngrep into a probing tool.

Thanks to:
 - David Dittrich for his efforts in other tools.
 - The SANS institute for being so neat.
 - Whitefang Dawt Kawm for his Raw Socket FAQ and list.

Code and Concept Copyright 
Jan 10, 2000 David Brumley <dbrumley@stanford.edu>


IF YOU HAVE COMMENTS/SUGGESTIONS/BUGS, FEEL FREE TO EMAIL 
David Brumley <dbrumley@stanford.edu>
