Home
Reading
Searching
Subscribe
Sponsors
Statistics
Posting
Contact
Spam
Lists
Links
About
Hosting
Filtering
Features Download
Marketing
Archives
FAQ
Blog
 
Gmane
From: Mex <mail-sCRyVqy9GjLlU2aa1YSDXA <at> public.gmane.org>
Subject: pytbull, IDS/IPS Testing Framework
Newsgroups: gmane.comp.security.ids.snort.emerging-sigs
Date: Sunday 1st May 2011 07:23:56 UTC (over 6 years ago)
seen on FD, so this is copypasta; did not tested yet

http://seclists.org/fulldisclosure/2011/Apr/550



From: Sebastien Damaye 
Date: Sat, 30 Apr 2011 06:27:43 +0200
Hi guys,

I would like to share this new tool I have developed with you: pytbull,
available here: http://code.google.com/p/pytbull/

pytbull is an Intrusion Detection/Prevention System (IDS/IPS) Testing
Framework for Snort and Suricata. It can be used to test the detection and
blocking capabilities of an IDS/IPS, to compare IDS/IPS, to compare
configuration modifications and to check/validate configurations.

The framework is shipped with about 300 tests grouped in 8 testing modules:

    - *clientSideAttacks*: this module uses a reverse shell to provide the
    server with instructions to download remote malicious files. This
module
    tests the ability of the IDS/IPS to protect against client-side
attacks.
    - *testRules*: basic rules testing. These attacks are supposed to be
    detected by the rules sets shipped with the IDS/IPS.
    - *badTraffic*: Non RFC compliant packets are sent to the server to
test
    how packets are processed.
    - *fragmentedPackets*: various fragmented payloads are sent to server
to
    test its ability to recompose them and detect the attacks.
    - *multipleFailedLogins*: tests the ability of the server to track
    multiple failed logins (e.g. FTP). Makes use of custom rules on Snort
and
    Suricata.
    - *evasionTechniques*: various evasion techniques are used to check if
    the IDS/IPS can detect them.
    - *shellCodes*: send various shellcodes to the server on port 21/tcp to
    test the ability of the server to detect/reject shellcodes.
    - *denialOfService*: tests the ability of the IDS/IPS to protect
against
    DoS attempts

It is easily configurable and could integrate new modules in the future.
There are basically 5 types of tests:

    - *socket*: open a socket on a given port and send the payloads to the
    remote target on that port.
    - *command*: send command to the remote target with the
subprocess.call()
    python function.
    - *scapy*: send special crafted payloads based on the Scapy syntax
    - *multiple failed logins*: open a socket on port 21/tcp (FTP) and
    attempt to login 5 times with bad credentials.
    - *client side attacks*: use a reverse shell on the remote target and
    send commands to it to make them processed by the server (typically
wget
    commands).

More information here: http://www.aldeid.com/index.php/Pytbull.

-- 
Cordialement/Regards,

S├ębastien Damaye
http://www.aldeid.com
 
CD: 3ms