Tuesday, October 25, 2011


snmp_bot is a library for botloader. Instead of attacking a target snmp_bot gathers data from it. It works best when the data-gathering and the attacking are carried out on separate networks:

Configuring snmp_bot

To configure snmp_bot you need to specify an option-string in the conf file which you feed to botloader. Because data-gathering bots behave differently from attack bots the name of snmp_bot is prefixed with '#':

#snmp_bot 1 debug=1 time=120 oids=inOctets:.,droppedOctets:.,outOctets:.,cpuLoad1Min:.,userCPU%:.,systemCPU%:.,realMemoryFree%:.,totalMemoryFree%:. dest_ip=

This must all be on one line, so it's a bit difficult to edit. The snmp_oids are specified via the oids option. This consists of a comma-separated list of oids, with an optional column-heading separated by a colon. So the oid value "droppedOctets:." means "monitor the oid ." on the target and write the values to a file with the heading "droppedOctets". The interval for sampling the oid value is set to 5 seconds, but you can change this when invoking botloader on the commandline:

sudo botloader -c snmp_bot.conf -i en0 -t 10

This means that the sampling interval should be 10 seconds instead of 5.

Other values

Botloader itself takes charge of gathering data from any data bots it is asked to monitor. But it also gathers sent and received counts from the attack bots and adds that to the log. So you will find columns "sent" and "rcvd" also in the output.

The default output file is called "data.dat". If you rename this as "something.txt" you can load it into Excel or OpenOffice spreadsheet as CSV format, using tabs as delimters. Then you can see the table of values properly:

Sunday, August 7, 2011

Broken pipe on write

This one puzzled me for a bit. I opened a socket, bound it to a local interface alias address, called connect to a remote machine. Everything was fine. No errors, errno = 0. Then I called write on the socket and it says: "broken pipe". It seems that the cause was that I forgot to set the family for the call to connect:

struct sockaddr_in servaddr;
servaddr.sin_family = AF_INET;
servaddr.sin_port = htons( atoi(serv) );
if ( !inet_pton(AF_INET, host, &servaddr.sin_addr) )
 printf("inet_pton failed\n");
 rc = -1;
else if ( connect(fd,(const struct sockaddr *)&servaddr, 
    sizeof(servaddr)) == 0 )
    // return connected socket
    rc = fd;

So I thought I'd file this one for reference, in case I get it again. It's amazing how a simple typo can get you into so much trouble.