[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [Full-disclosure] pytbull, IDS/IPS Testing Framework
From: Sebastien Damaye <sebastien.damaye () gmail ! com>
Date: 2011-04-30 4:27:43
Message-ID: BANLkTimfLGGgONc1Wyig879kETHmYy+Ynw () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hi guys,
I would like to share this new tool I have developed with you: pytbull,
available here: http://code.google.com/p/pytbull/
pytbull is an Intrusion Detection/Prevention System (IDS/IPS) Testing
Framework for Snort and Suricata. It can be used to test the detection and
blocking capabilities of an IDS/IPS, to compare IDS/IPS, to compare
configuration modifications and to check/validate configurations.
The framework is shipped with about 300 tests grouped in 8 testing modules:
- *clientSideAttacks*: this module uses a reverse shell to provide the
server with instructions to download remote malicious files. This module
tests the ability of the IDS/IPS to protect against client-side attacks.
- *testRules*: basic rules testing. These attacks are supposed to be
detected by the rules sets shipped with the IDS/IPS.
- *badTraffic*: Non RFC compliant packets are sent to the server to test
how packets are processed.
- *fragmentedPackets*: various fragmented payloads are sent to server to
test its ability to recompose them and detect the attacks.
- *multipleFailedLogins*: tests the ability of the server to track
multiple failed logins (e.g. FTP). Makes use of custom rules on Snort and
Suricata.
- *evasionTechniques*: various evasion techniques are used to check if
the IDS/IPS can detect them.
- *shellCodes*: send various shellcodes to the server on port 21/tcp to
test the ability of the server to detect/reject shellcodes.
- *denialOfService*: tests the ability of the IDS/IPS to protect against
DoS attempts
It is easily configurable and could integrate new modules in the future.
There are basically 5 types of tests:
- *socket*: open a socket on a given port and send the payloads to the
remote target on that port.
- *command*: send command to the remote target with the subprocess.call()
python function.
- *scapy*: send special crafted payloads based on the Scapy syntax
- *multiple failed logins*: open a socket on port 21/tcp (FTP) and
attempt to login 5 times with bad credentials.
- *client side attacks*: use a reverse shell on the remote target and
send commands to it to make them processed by the server (typically wget
commands).
More information here: http://www.aldeid.com/index.php/Pytbull.
--
Cordialement/Regards,
Sébastien Damaye
http://www.aldeid.com
[Attachment #5 (text/html)]
Hi guys,<div><br></div><div>I would like to share this new tool I have developed with you: \
pytbull, available here: <a \
href="http://code.google.com/p/pytbull/">http://code.google.com/p/pytbull/</a></div><meta \
http-equiv="content-type" content="text/html; charset=utf-8"><div> <br></div><div><div>pytbull \
is an Intrusion Detection/Prevention System (IDS/IPS) Testing Framework for Snort and Suricata. \
It can be used to test the detection and blocking capabilities of an IDS/IPS, to compare \
IDS/IPS, to compare configuration modifications and to check/validate configurations.</div> \
<div><br></div><div>The framework is shipped with about 300 tests grouped in 8 testing \
modules:</div><div><ul><li><b>clientSideAttacks</b>: this module uses a reverse shell to \
provide the server with instructions to download remote malicious files. This module tests the \
ability of the IDS/IPS to protect against client-side attacks.</li> <li><b>testRules</b>: basic \
rules testing. These attacks are supposed to be detected by the rules sets shipped with the \
IDS/IPS.</li><li><b>badTraffic</b>: Non RFC compliant packets are sent to the server to test \
how packets are processed.</li> <li><b>fragmentedPackets</b>: various fragmented payloads are \
sent to server to test its ability to recompose them and detect the \
attacks.</li><li><b>multipleFailedLogins</b>: tests the ability of the server to track multiple \
failed logins (e.g. FTP). Makes use of custom rules on Snort and Suricata.</li> \
<li><b>evasionTechniques</b>: various evasion techniques are used to check if the IDS/IPS can \
detect them.</li><li><b>shellCodes</b>: send various shellcodes to the server on port 21/tcp to \
test the ability of the server to detect/reject shellcodes.</li> <li><b>denialOfService</b>: \
tests the ability of the IDS/IPS to protect against DoS attempts</li></ul>It is easily \
configurable and could integrate new modules in the future.</div><div>There are basically 5 \
types of tests:</div> <div><ul><li><b>socket</b>: open a socket on a given port and send the \
payloads to the remote target on that port.</li><li><b>command</b>: send command to the remote \
target with the subprocess.call() python function.</li> <li><b>scapy</b>: send special crafted \
payloads based on the Scapy syntax</li><li><b>multiple failed logins</b>: open a socket on port \
21/tcp (FTP) and attempt to login 5 times with bad credentials.</li><li><b>client side \
attacks</b>: use a reverse shell on the remote target and send commands to it to make them \
processed by the server (typically wget commands).</li> </ul></div>More information here: <meta \
http-equiv="content-type" content="text/html; charset=utf-8"><a \
href="http://www.aldeid.com/index.php/Pytbull">http://www.aldeid.com/index.php/Pytbull</a>.</div><div><br>-- \
<br>Cordialement/Regards,<div> <br></div><div>Sébastien Damaye</div><div><a \
href="http://www.aldeid.com" target="_blank">http://www.aldeid.com</a><br></div><br> </div>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic