RID - Remote Intrusion Detection (http://www.theorygroup.com/Software/RID)--------------------------------* Please see LICENSE for licensing information *Purpose: To use intrusion fingerprints to track down compromised hosts.Scope:   TCP/UDP/ICMP (No fragmentation reassembly)Specs:	 Program can create somewhat arbitrary UDP/ICMP/TCP packets/streams	 and send them to a range of hosts.  It also listens promiscuously	 for predefined intrusion "fingerprints".Language: It's been a while since I've done BNF, so here's a not so 	  scientific rendition of the config file language:          begin <ID>             send <PROTOCOL> <OPTIONS>             recv <PROTOCOL> <OPTIONS> nmatch = <num>          end <ID>		  PROTOCOL=: TCP | UDP | ICMP	  OPTION =: ICMP_OPTIONS | UDP_OPTIONS | TCP_OPTIONS	  ICMP_OPTIONS =: seq=<sequence> | id=<id> | type=<ICMP type>			  | code=<ICMP CODE> | data="<string>"	  UDP_OPTIONS =: sport=<port> | dport =<port> | data="<string>"			  | code=<ICMP CODE> | data="string"	  TCP_OPTIONS=: NOT IMPLEMENTED YET	  Note: nmatch is the number of matches in "recv" that need		to occur to generate a positive that a host is		infected.OS:	Currently only tested on Solaris 2.7.  Should work on all modern	Solaris.  Linux interoperability is built in, but may need some	tweaking (esp finding libpcap if you install it in a non-standard	location.)Abstract:Hackers (I use the term for ease of reference, not because it's necessarilyaccurate) who compromise multiple machines are forced to deal with thesame issues that administrators of distributed networks encounter.  Theymust remember the passwords set on various facilities, they must rememberwhich hosts are compromised, they must remember which ports their backdoorsare on, etc.  After a compromise, this information can often be turned intoa "fingerprint" of the intrusion.  This tool is designed to be capableof accurately specifying this "fingerprint" with little knowledge of network programming.This tool *does* require some understanding of TCP/IP.  To Install:Type   ./configure  make  ./rid <ip>/<CIDR format>You may have to locate libpcap manually and edit the Makefile.Current shortcomings:   SEE BUGS!Similar Works:This tool is an extension of ngrep (network grep) and netcat.  It combinedtheir functionality with a common configuration language.Thanks to:	- EVERYONE IN THE CREDITS FILE!Code and Concept Copyright Jan 10, 2000 David Brumley <dbrumley@stanford.edu>IF YOU HAVE COMMENTS/SUGGESTIONS/BUGS, FEEL FREE TO EMAIL David Brumley <dbrumley@theorygroup.com>