pytbull - Intrusion Detection/Prevention System (IDS/IPS) Testing Framework

pytbull - Intrusion Detection/Prevention System (IDS/IPS) Testing Framework

pytbull is an Intrusion Detection/Prevention System (IDS/IPS) Testing Framework for Snort, Suricata and any IDS/IPS that generates an alert file. It can be used to test the detection and blocking capabilities of an IDS/IPS, to compare IDS/IPS, to compare configuration modifications and to check/validate configurations.

The framework is shipped with about 300 tests grouped in 11 testing modules:
  • badTraffic: Non RFC compliant packets are sent to the server to test how packets are processed.
  • bruteForce: tests the ability of the server to track brute force attacks (e.g. FTP). Makes use of custom rules on Snort and Suricata.
  • clientSideAttacks: this module uses a reverse shell to provide the server with instructions to download remote malicious files. This module tests the ability of the IDS/IPS to protect against client-side attacks.
  • denialOfService: tests the ability of the IDS/IPS to protect against DoS attempts
  • evasionTechniques: various evasion techniques are used to check if the IDS/IPS can detect them.
  • fragmentedPackets: various fragmented payloads are sent to server to test its ability to recompose them and detect the attacks.
  • ipReputation: tests the ability of the server to detect traffic from/to low reputation servers.
  • normalUsage: Payloads that correspond to a normal usage.
  • pcapReplay: enables to replay pcap files
  • shellCodes: send various shellcodes to the server on port 21/tcp to test the ability of the server to detect/reject shellcodes.
  • testRules: basic rules testing. These attacks are supposed to be detected by the rules sets shipped with the IDS/IPS.
pytbull snapshot

It is easily configurable and could integrate new modules in the future.

There are basically 5 types of tests:
  • socket: open a socket on a given port and send the payloads to the remote target on that port.
  • command: send command to the remote target with the python function.
  • scapy: send special crafted payloads based on the Scapy syntax.
  • client side attacks: use a reverse shell on the remote target and send commands to it to make them processed by the server (typically wget commands).
  • pcap replay: enables to replay traffic based on pcap files.

Pytbull's main interface is based on the command line (CLI). To avoid a long list of arguments, the majority of the options are provided in the configuration file.

During a test campaign, all tests are shown in real time and detailed results can be shown by using the debug option.

pytbull global stats snapshot

Note: The tests are based on a very comprehensive syntax that enables one to write his/her own tests.

Once all tests have been processed, a HTML based report is available.

Pytbull easily adapts to your environment, whatever your IDS/IPS (Snort, Suricata, or whatever) and your architecture (standalone mode, gateway mode).

Standalone mode: This is the default mode. It enables to test an IDS that is connected to the switch just as a standard computer on the network (only one network interface used).

Gateway mode: This mode is commonly used for IPS and has to be used in case two network interfaces are used on the IDS.

Note: Your Anti-Virus program may detect pytbull as a malware, because pytbull contains malicious payloads (for testing purposes).

No comments

Powered by Blogger.