{"id":3109,"date":"2011-05-16T10:58:43","date_gmt":"2011-05-16T09:58:43","guid":{"rendered":"https:\/\/www.darknet.org.uk\/?p=3109"},"modified":"2015-09-09T19:37:13","modified_gmt":"2015-09-09T11:37:13","slug":"pytbull-intrusion-detectionprevention-system-idsips-testing-framework","status":"publish","type":"post","link":"https:\/\/www.darknet.org.uk\/2011\/05\/pytbull-intrusion-detectionprevention-system-idsips-testing-framework\/","title":{"rendered":"pytbull &#8211; Intrusion Detection\/Prevention System (IDS\/IPS) Testing Framework"},"content":{"rendered":"<p>pytbull is an Intrusion Detection\/Prevention System (IDS\/IPS) Testing Framework for Snort, <a href=\"https:\/\/www.darknet.org.uk\/2010\/05\/suricata-open-source-next-generation-intrusion-detection-and-prevention-engine\/\">Suricata<\/a> and any IDS\/IPS that generates an alert file. It can be used to test the detection and blocking capabilities of an IDS\/IPS, to compare IDS\/IPS, to compare configuration modifications and to check\/validate configurations.<\/p>\n<p>The framework is shipped with about 300 tests grouped in 9 testing modules:<\/p>\n<ul>\n<li>clientSideAttacks: this module uses a reverse shell to provide the server with instructions to download remote malicious files. This module tests the ability of the IDS\/IPS to protect against client-side attacks.<\/li>\n<li>testRules: basic rules testing. These attacks are supposed to be detected by the rules sets shipped with the IDS\/IPS.<\/li>\n<li>badTraffic: Non RFC compliant packets are sent to the server to test how packets are processed.<\/li>\n<li>fragmentedPackets: various fragmented payloads are sent to server to test its ability to recompose them and detect the attacks.<\/li>\n<li>multipleFailedLogins: tests the ability of the server to track multiple failed logins (e.g. FTP). Makes use of custom rules on Snort and Suricata.<\/li>\n<li>evasionTechniques: various evasion techniques are used to check if the IDS\/IPS can detect them.<\/li>\n<li>shellCodes: send various shellcodes to the server on port 21\/tcp to test the ability of the server to detect\/reject shellcodes.<\/li>\n<li>denialOfService: tests the ability of the IDS\/IPS to protect against DoS attempts<\/li>\n<li>pcapReplay: enables to replay pcap files<\/li>\n<\/ul>\n<p>It is easily configurable and could integrate new modules in the future.<\/p>\n<p>There are basically 6 types of tests:<\/p>\n<script async src=\"https:\/\/pagead2.googlesyndication.com\/pagead\/js\/adsbygoogle.js?client=ca-pub-3033787195489589\"\r\n     crossorigin=\"anonymous\"><\/script>\r\n<!-- Darknet Responsive Post Ad Links [previously link ad unit] -->\r\n<ins class=\"adsbygoogle\"\r\n     style=\"display:block\"\r\n     data-ad-client=\"ca-pub-3033787195489589\"\r\n     data-ad-slot=\"5456620019\"\r\n     data-ad-format=\"auto\"><\/ins>\r\n<script>\r\n     (adsbygoogle = window.adsbygoogle || []).push({});\r\n<\/script>\n<ul>\n<li>socket: open a socket on a given port and send the payloads to the remote target on that port.<\/li>\n<li>command: send command to the remote target with the subprocess.call() python function.<\/li>\n<li>scapy: send special crafted payloads based on the Scapy syntax<\/li>\n<li>multiple failed logins: open a socket on port 21\/tcp (FTP) and attempt to login 5 times with bad credentials.<\/li>\n<li>client side attacks: use a reverse shell on the remote target and send commands to it to make them processed by the server (typically wget commands).<\/li>\n<li>pcap replay: enables to replay traffic based on pcap files<\/li>\n<\/ul>\n<p>The official documentations is available here: <a href=\"http:\/\/pytbull.sourceforge.net\/index.php?page=documentation\">pytbull documentation<\/a>.<\/p>\n<p><strong>Changes\/Improvements in V1.1<\/strong><\/p>\n<ul>\n<li>Issue #2 fixed (test number incrementing twice just after the last test from multipleFailedLogins test)<\/li>\n<li>Issue #3 fixed (pcapReplay module not present in the checks on STDOUT)<\/li>\n<li>Code factoring in pytbull.py<\/li>\n<li>Timing options are now in parameters (config.cfg)<\/li>\n<li>Automatically checks and informs if a new version is available (use PROXY section in the configuration file if needed)<\/li>\n<li>New basic checks: Checks that paths are valid<\/li>\n<li>SVN tags added in source code<\/li>\n<\/ul>\n<p>You can download pytbull here:<\/p>\n<p><a href=\"http:\/\/downloads.sourceforge.net\/project\/pytbull\/pytbull-2.0.tar.bz2?r=http%3A%2F%2Fpytbull.sourceforge.net%2Findex.php%3Fpage%3Ddownloads&#038;ts=1378819705&#038;use_mirror=jaist\">pytbull-2.0.tar.bz2<\/a><\/p>\n<p>Or read more <a href=\"http:\/\/pytbull.sourceforge.net\/\">here<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>pytbull is an Intrusion Detection\/Prevention System (IDS\/IPS) Testing Framework for Snort, Suricata and any IDS\/IPS that generates an alert file. It can be used to test the detection and blocking capabilities of an IDS\/IPS, to compare IDS\/IPS, to compare configuration modifications and to check\/validate configurations. The framework is shipped with about 300 tests grouped in [&hellip;]<\/p>\n","protected":false},"author":25,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"","_seopress_titles_title":"","_seopress_titles_desc":"","_seopress_robots_index":"","_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[12,5,11],"tags":[215,49,8861,360,5280],"featured_image_src":null,"featured_image_src_square":null,"author_info":{"display_name":"Darknet","author_link":"https:\/\/www.darknet.org.uk\/author\/darknet\/"},"_links":{"self":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/posts\/3109"}],"collection":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/users\/25"}],"replies":[{"embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/comments?post=3109"}],"version-history":[{"count":0,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/posts\/3109\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/media?parent=3109"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/categories?post=3109"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/tags?post=3109"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}