The framework is shipped with about 300 tests grouped in 9 testing modules:

• clientSideAttacks: this module uses a reverse shell to provide the server with instructions to download remote malicious files. This module tests the ability of the IDS/IPS to protect against client-side attacks.
• testRules: basic rules testing. These attacks are supposed to be detected by the rules sets shipped with the IDS/IPS.
• badTraffic: Non RFC compliant packets are sent to the server to test how packets are processed.
• fragmentedPackets: various fragmented payloads are sent to server to test its ability to recompose them and detect the attacks.
• multipleFailedLogins: tests the ability of the server to track multiple failed logins (e.g. FTP). Makes use of custom rules on Snort and Suricata.
• evasionTechniques: various evasion techniques are used to check if the IDS/IPS can detect them.
• shellCodes: send various shellcodes to the server on port 21/tcp to test the ability of the server to detect/reject shellcodes.
• denialOfService: tests the ability of the IDS/IPS to protect against DoS attempts
• pcapReplay: enables to replay pcap files

It is easily configurable and could integrate new modules in the future.

There are basically 6 types of tests:

• socket: open a socket on a given port and send the payloads to the remote target on that port.
• command: send command to the remote target with the subprocess.call() python function.
• scapy: send special crafted payloads based on the Scapy syntax
• multiple failed logins: open a socket on port 21/tcp (FTP) and attempt to login 5 times with bad credentials.
• client side attacks: use a reverse shell on the remote target and send commands to it to make them processed by the server (typically wget commands).
• pcap replay: enables to replay traffic based on pcap files

The official documentations is available here: pytbull documentation.

Changes/Improvements in V1.1

• Issue #2 fixed (test number incrementing twice just after the last test from multipleFailedLogins test)
• Issue #3 fixed (pcapReplay module not present in the checks on STDOUT)
• Code factoring in pytbull.py
• Timing options are now in parameters (config.cfg)
• Automatically checks and informs if a new version is available (use PROXY section in the configuration file if needed)
• New basic checks: Checks that paths are valid
• SVN tags added in source code

You can download pytbull here:

pytbull-1.1.tar.bz2

Or read more here.

Sguil (pronounced sgweel) is probably best described as an aggregation system for network security monitoring tools. It ties your IDS alerts into a database of TCP/IP sessions, full content packet logs and other information. When you’ve identified an alert that needs more investigation, the sguil client provides you with seamless access to the data you need to decide how to handle the situation. In other words, sguil simply ties together the outputs of various security monitoring tools into a single interface, providing you with the most information in the shortest amount of time.

Sguil uses a database backend for most of its data, which allows you to perform SQL queries against several different types of security events.

How is sguil different from Snort + ACID or Snort + BASE?

ACID & BASE are both web-based IDS alert management systems. They let you browse and search alerts, but don’t offer very much in the way of data-mining that would allow you to answer questions like, “Was this an attack attempt or a false positive?”, “Was the attempt successful?” or “What other machines did the attacker try to crack once he got into this one?”. They rely on you to do the research necessary to determine the severity of the situation.

Sguil’s design centers on providing convenient, quick access to a host of supporting information, which both saves you time and helps you make better decisions. Incidentally, because sguil uses a dedicated client instead of running through a web browser, you get a richer, more responsive user interface as well.

You can find snort here:

http://www.snort.org/

You can read more and download Sguil here:

http://sguil.sourceforge.net/

It’s good to see work on open source tools in the countermeasure department aswell as the attack and penetration arena.

It’s a shame since Snort and Nessus have gone semi-commercial.

I hope more people invest their time in good IDS, Firewall and IPS systems, I love things like IPCop and hope to see more products like HLBR.

HLBR is a brazilian project, started in november 2005, as a fork of the Hogwash project (started by Jason Larsen in 1996)

HLBR is an IPS (Intrusion Prevention System) that can filter packets directly in the layer 2 of the OSI model (so the machine doesn’t need even an IP address). Detection of malicious/anomalous traffic is done by rules based in signatures, and the user can add more rules. It is an efficient and versatile IPS, and it can even be used as bridge to honeypots and honeynets. Since it doesn’t make use of the operating system’s TCP/IP stack, it can be “invisible” to network access and attackers.

Since version 1.0, released in march 5th 2006, HLBR can use regular expressions to detect intrusion attempts, virus, worms, and phishing.

You can view the entire HLBR README file here.

Go to the HLBR Homepage for more information and downloads.

We are happy to announce that the 1.2.6 (christine) release of the Basic Analysis and Security Engine (BASE) is available.

BASE is the Basic Analysis and Security Engine. It is based on the code from the Analysis Console for Intrusion Databases (ACID) project. This application provides a web front-end to query and analyze the alerts coming from a SNORT IDS system.

I used to LOVE ACID, and I have to say BASE has taken it one step further, it’s a superb project.

A number of bugs have been fixed including some that affected IE and the setup system for BASE. A couple of interface tweaks have also been done to make it more user friendly.

The developers are currently looking for more people willing to test the BASE releases as they work on them. If you are interested, feel free to contact base@secureideas.net

The BASE team have also started coding the 2.x code base. If you have any ideas or feedback regarding that rewrite, please forward them to the BASE developers list which is a public mailing list.

You can download the new version of BASE at:

http://sourceforge.net/projects/secureideas

Basically the Americans are saying a lot of their sensitive govermental organisations are using Snort and they don’t want the software to be controlled by an Israeli company, they see it as a threat.

The same Bush administration review panel that approved a ports deal involving the United Arab Emirates has notified a leading Israeli software company that it faces a rare, full-blown investigation over its plans to buy a smaller rival.

The objections by the FBI and Pentagon were partly over specialized intrusion detection software known as “Snort,” which guards some classified U.S. military and intelligence computers.

Snort’s author is a senior executive at Sourcefire Inc., which would be sold to publicly traded Check Point Software Technologies Ltd. in Ramat Gan, Israel. Sourcefire is based in Columbia, Md.

Check Point was told U.S. officials feared the transaction could endanger some of government’s most sensitive computer systems. The company announced it had agreed to acquire Sourcefire in October.

Is it really a threat?

I’m guessing from this though that the US government then doesn’t use ANY Checkpoint devices or software in any of its organisations.

The ongoing 45-day investigation into the Israeli deal is only the 26th of its type conducted among 1,600 business transactions reviewed by the Committee on Foreign Investments in the United States. The panel, facing criticism by Congress about its scrutiny of the ports deal, judges the security risks of foreign companies buying or investing in American industry.

I wonder what the outcome is going to be.

Let’s hope the whole thing is dealt with properly.

Source: Redmond Mag – (Slashdot)