Full Disclosure mailing list archives
pytbull, IDS/IPS Testing Framework
From: Sebastien Damaye <sebastien.damaye () gmail com>
Date: Sat, 30 Apr 2011 06:27:43 +0200
Hi guys, I would like to share this new tool I have developed with you: pytbull, available here: http://code.google.com/p/pytbull/ pytbull is an Intrusion Detection/Prevention System (IDS/IPS) Testing Framework for Snort and Suricata. It can be used to test the detection and blocking capabilities of an IDS/IPS, to compare IDS/IPS, to compare configuration modifications and to check/validate configurations. The framework is shipped with about 300 tests grouped in 8 testing modules: - *clientSideAttacks*: this module uses a reverse shell to provide the server with instructions to download remote malicious files. This module tests the ability of the IDS/IPS to protect against client-side attacks. - *testRules*: basic rules testing. These attacks are supposed to be detected by the rules sets shipped with the IDS/IPS. - *badTraffic*: Non RFC compliant packets are sent to the server to test how packets are processed. - *fragmentedPackets*: various fragmented payloads are sent to server to test its ability to recompose them and detect the attacks. - *multipleFailedLogins*: tests the ability of the server to track multiple failed logins (e.g. FTP). Makes use of custom rules on Snort and Suricata. - *evasionTechniques*: various evasion techniques are used to check if the IDS/IPS can detect them. - *shellCodes*: send various shellcodes to the server on port 21/tcp to test the ability of the server to detect/reject shellcodes. - *denialOfService*: tests the ability of the IDS/IPS to protect against DoS attempts It is easily configurable and could integrate new modules in the future. There are basically 5 types of tests: - *socket*: open a socket on a given port and send the payloads to the remote target on that port. - *command*: send command to the remote target with the subprocess.call() python function. - *scapy*: send special crafted payloads based on the Scapy syntax - *multiple failed logins*: open a socket on port 21/tcp (FTP) and attempt to login 5 times with bad credentials. - *client side attacks*: use a reverse shell on the remote target and send commands to it to make them processed by the server (typically wget commands). More information here: http://www.aldeid.com/index.php/Pytbull. -- Cordialement/Regards, Sébastien Damaye http://www.aldeid.com
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- pytbull, IDS/IPS Testing Framework Sebastien Damaye (Apr 29)