Loading...
Sunday, July 22, 2012

Pytbull - Intrusion Detection/Prevention System (IDS/IPS) Testing Framework

Pytbull is an Intrusion Detection/Prevention System (IDS/IPS) Testing Framework for Snort, Suricata and any IDS/IPS that generates an alert file. It can be used to test the detection and blocking capabilities of an IDS/IPS, to compare IDS/IPS, to compare configuration modifications and to check/validate configurations.

Pytbull has been integrated into BackTrack, the distribution of reference for pentesters.

The framework is shipped with about 300 tests grouped in 11 testing modules:
  1. badTraffic: Non RFC compliant packets are sent to the server to test how packets are processed.
  2. bruteForce: tests the ability of the server to track brute force attacks (e.g. FTP). Makes use of custom rules on Snort and Suricata.
  3. clientSideAttacks: this module uses a reverse shell to provide the server with instructions to download remote malicious files. This module tests the ability of the IDS/IPS to protect against client-side attacks.
  4. denialOfService: tests the ability of the IDS/IPS to protect against DoS attempts
  5. evasionTechniques: various evasion techniques are used to check if the IDS/IPS can detect them.
  6. fragmentedPackets: various fragmented payloads are sent to server to test its ability to recompose them and detect the attacks.
  7. ipReputation: tests the ability of the server to detect traffic from/to low reputation servers.
  8. normalUsage: Payloads that correspond to a normal usage.
  9. pcapReplay: enables to replay pcap files
  10. shellCodes: send various shellcodes to the server on port 21/tcp to test the ability of the server to detect/reject shellcodes.
  11. testRules: basic rules testing. These attacks are supposed to be detected by the rules sets shipped with the IDS/IPS.
It is easily configurable and could integrate new modules in the future.
There are basically 5 types of tests:
  1. socket: open a socket on a given port and send the payloads to the remote target on that port.
  2. command: send command to the remote target with the subprocess.call() python function.
  3. scapy: send special crafted payloads based on the Scapy syntax
  4. client side attacks: use a reverse shell on the remote target and send commands to it to make them processed by the server (typically wget commands).
  5. pcap replay: enables to replay traffic based on pcap files
Download -
Stable Release
pytbull-2.0.tar.bz2  released on Mar 01, 2012 2 MB
dedicated configuration file for backtrack (SF #3439537)
configuration file is now dynamically specified as arg in CLI
sqlite3 support (results are saved in the database)
dynamic report with search and graphs (SF #3308695, SF #3306761) based on Cherrypy web server
bruteForce module rewritten, old multipleFailedLogins (SF #3310130)
new module: ipReputation (SF #3306115)
new module: normalUsage (SF #3439544)
status updated (SF #3439541)
denialOfService module updated (SF #3439539)
reverseShell sync issue fixed (SF #3450032)
offline option added (SF #3438624)
warning banner added (SF #3310129)
part of interactive menu implemented (SF #3310123)
support of pattern matching for all modules (SF #3308727)
support for ftp, sftp and ftps (SF #3306961)
verbose switch for debugging (SF #3306837)
Grouping of all modules in a dedicated modules directory (SF #3306836)
tests syntax improved (SF #3306114) based on environment variables defined in configuration file
split between modules and classes (creation of a dedicated classes/ dir)
Visit Website -
http://pytbull.sourceforge.net/
Documentation -
http://pytbull.sourceforge.net/index.php?page=documentation
Installation & implementation -
http://www.victoriaexpert.com/blog/109-how-to-test-your-system-with-pytbull.html
Screenshot -

0 comments:

Post a Comment

 
TOP