lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Sat, 30 Apr 2011 06:27:43 +0200
From: Sebastien Damaye <sebastien.damaye@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: pytbull, IDS/IPS Testing Framework

Hi guys,

I would like to share this new tool I have developed with you: pytbull,
available here: http://code.google.com/p/pytbull/

pytbull is an Intrusion Detection/Prevention System (IDS/IPS) Testing
Framework for Snort and Suricata. It can be used to test the detection and
blocking capabilities of an IDS/IPS, to compare IDS/IPS, to compare
configuration modifications and to check/validate configurations.

The framework is shipped with about 300 tests grouped in 8 testing modules:

   - *clientSideAttacks*: this module uses a reverse shell to provide the
   server with instructions to download remote malicious files. This module
   tests the ability of the IDS/IPS to protect against client-side attacks.
   - *testRules*: basic rules testing. These attacks are supposed to be
   detected by the rules sets shipped with the IDS/IPS.
   - *badTraffic*: Non RFC compliant packets are sent to the server to test
   how packets are processed.
   - *fragmentedPackets*: various fragmented payloads are sent to server to
   test its ability to recompose them and detect the attacks.
   - *multipleFailedLogins*: tests the ability of the server to track
   multiple failed logins (e.g. FTP). Makes use of custom rules on Snort and
   Suricata.
   - *evasionTechniques*: various evasion techniques are used to check if
   the IDS/IPS can detect them.
   - *shellCodes*: send various shellcodes to the server on port 21/tcp to
   test the ability of the server to detect/reject shellcodes.
   - *denialOfService*: tests the ability of the IDS/IPS to protect against
   DoS attempts

It is easily configurable and could integrate new modules in the future.
There are basically 5 types of tests:

   - *socket*: open a socket on a given port and send the payloads to the
   remote target on that port.
   - *command*: send command to the remote target with the subprocess.call()
   python function.
   - *scapy*: send special crafted payloads based on the Scapy syntax
   - *multiple failed logins*: open a socket on port 21/tcp (FTP) and
   attempt to login 5 times with bad credentials.
   - *client side attacks*: use a reverse shell on the remote target and
   send commands to it to make them processed by the server (typically wget
   commands).

More information here: http://www.aldeid.com/index.php/Pytbull.

-- 
Cordialement/Regards,

Sébastien Damaye
http://www.aldeid.com

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ