lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 01 Jul 2010 18:25:41 -0700 From: "epixoip" <epixoip@...h.com> To: full-disclosure@...ts.grok.org.uk, pen-test@...urityfocus.com, focus-ids@...urityfocus.com, security-basics@...urityfocus.com Subject: [Tool] - inundator - an intrusion detection false positives generator. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 homepage: http://inundator.bindshell.nl/ deb repo: deb http://inundator.sourceforge.net/repo/ all/ gpg key : http://inundator.sourceforge.net/inundator.asc Announcing the release of inundator v0.5! inundator is a modern twist on an old concept -- it's an IDS/IPS/WAF evasion tool, used to anonymously flood intrusion detection systems with false positives in order to obfuscate a real attack. inundator leverages the vagueness and poor quality of Snort's rules files to generate completely harmless packets / HTTP requests that contain just enough keywords to trigger a false positive. We thought this was an original idea, but it looks like Snot, fwsnort's snortspoof, and possibly others beat us to the punch. However, these tools were developed around the turn of the century, are quite dated and well-forgotten, and overall quite inferior to inundator. inundator is full featured, multi-threaded, queue-based, supports multiple targets, and requires the use of a SOCKS proxy for anonymization. Via Tor, inundator is capable of generating around 1000 false positives per minute. Via a high-bandwidth SOCKS proxy, you might be able to generate ten times that amount. The general idea is one would launch inundator prior to starting an attack, allow it to run during the attack, and continue to run it a while longer after you've accomplished the attack. The goal, of course, is to generate an overwhelming number of false positives so that your real attack is essentially buried within the other alerts, minimizing the chance of your attack being detected. It could also be used to ruin an IDS analyst's day, or keep an organization's infosec department busy for a while. I suppose it could also be used to test the effectiveness of an IDS, but no, not really. inundator is implemented in Perl (version >= 5.10 is recommended due to ithreads bugs in previous versions), and has been tested on Debian Lenny, Debian Squeeze, Ubuntu Jaunty, BackTrack4, and Mac OS X against Snort v2.8.5.2. It is presumed to work on all POSIX operating systems. Hell, it might even work on Windows. /epixoip. -----BEGIN PGP SIGNATURE----- Charset: UTF8 Version: Hush 3.0 Note: This signature can be verified at https://www.hushtools.com/verify wpwEAQMCAAYFAkwtQBUACgkQacHgESW3wZpdIwP+P6LnI4PLGYPOOcoE84PKcVr/4dNu /T9kXWFqi0WWE9mO5zGo/UqemhBEutjUsxH880i39AnpKVuHroBbuouO3p/9AJ+q6CoJ z64LBg6mSYzzcrCbBGU1XGxNiNsqhaHc9SIMAYCM1Yj6jbnHrm+lMIzneIuCgRhIJeoj NlqSahc= =O9AY -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists