Pytbull is an Intrusion Detection/Prevention System (IDS/IPS) Testing
Framework for Snort, Suricata and any IDS/IPS that generates an alert
file. It can be used to test the detection and blocking capabilities
of an IDS/IPS, to compare IDS/IPS, to compare configuration
modifications and to check/validate configurations.
The framework is shipped with about 300 tests grouped in 9 testing modules:
- clientSideAttacks: this module uses a reverse shell to provide the
server with instructions to download remote malicious files. This
module tests the ability of the IDS/IPS to protect against client-side
attacks.
- testRules: basic rules testing. These attacks are supposed to be
detected by the rules sets shipped with the IDS/IPS.
- badTraffic: Non RFC compliant packets are sent to the server to test
how packets are processed.
- fragmentedPackets: various fragmented payloads are sent to server to
test its ability to recompose them and detect the attacks.
- multipleFailedLogins: tests the ability of the server to track
multiple failed logins (e.g. FTP). Makes use of custom rules on Snort
and Suricata.
- evasionTechniques: various evasion techniques are used to check if
the IDS/IPS can detect them.
- shellCodes: send various shellcodes to the server on port 21/tcp to
test the ability of the server to detect/reject shellcodes.
- denialOfService: tests the ability of the IDS/IPS to protect against
DoS attempts
- pcapReplay: enables to replay pcap files
It is easily configurable and could integrate new modules in the future.
There are basically 6 types of tests:
- socket: open a socket on a given port and send the payloads to the
remote target on that port.
- command: send command to the remote target with the
subprocess.call() python function.
- scapy: send special crafted payloads based on the Scapy syntax
- multiple failed logins: open a socket on port 21/tcp (FTP) and
attempt to login 5 times with bad credentials.
- client side attacks: use a reverse shell on the remote target and
send commands to it to make them processed by the server (typically
wget commands).
- pcap replay: enables to replay traffic based on pcap files
Framework for Snort, Suricata and any IDS/IPS that generates an alert
file. It can be used to test the detection and blocking capabilities
of an IDS/IPS, to compare IDS/IPS, to compare configuration
modifications and to check/validate configurations.
The framework is shipped with about 300 tests grouped in 9 testing modules:
- clientSideAttacks: this module uses a reverse shell to provide the
server with instructions to download remote malicious files. This
module tests the ability of the IDS/IPS to protect against client-side
attacks.
- testRules: basic rules testing. These attacks are supposed to be
detected by the rules sets shipped with the IDS/IPS.
- badTraffic: Non RFC compliant packets are sent to the server to test
how packets are processed.
- fragmentedPackets: various fragmented payloads are sent to server to
test its ability to recompose them and detect the attacks.
- multipleFailedLogins: tests the ability of the server to track
multiple failed logins (e.g. FTP). Makes use of custom rules on Snort
and Suricata.
- evasionTechniques: various evasion techniques are used to check if
the IDS/IPS can detect them.
- shellCodes: send various shellcodes to the server on port 21/tcp to
test the ability of the server to detect/reject shellcodes.
- denialOfService: tests the ability of the IDS/IPS to protect against
DoS attempts
- pcapReplay: enables to replay pcap files
It is easily configurable and could integrate new modules in the future.
There are basically 6 types of tests:
- socket: open a socket on a given port and send the payloads to the
remote target on that port.
- command: send command to the remote target with the
subprocess.call() python function.
- scapy: send special crafted payloads based on the Scapy syntax
- multiple failed logins: open a socket on port 21/tcp (FTP) and
attempt to login 5 times with bad credentials.
- client side attacks: use a reverse shell on the remote target and
send commands to it to make them processed by the server (typically
wget commands).
- pcap replay: enables to replay traffic based on pcap files
0 comments:
Post a Comment