I am the author of pytbull (http://pytbull.sourceforge.net), and IDS/IPS Testing Framework, written in Python.
pytbull is an Intrusion Detection/Prevention System (IDS/IPS) Testing Framework for Snort, Suricata and any IDS/IPS that generates an alert file. It can be used to test the detection and blocking capabilities of an IDS/IPS, to compare IDS/IPS, to compare configuration modifications and to check/validate configurations.
The framework is shipped with about 300 tests grouped in 9 testing modules:
- clientSideAttacks: this module uses a reverse shell to provide the server with instructions to download remote malicious files. This module tests the ability of the IDS/IPS to protect against client-side attacks.
- testRules: basic rules testing. These attacks are supposed to be detected by the rules sets shipped with the IDS/IPS.
- badTraffic: Non RFC compliant packets are sent to the server to test how packets are processed.
- fragmentedPackets: various fragmented payloads are sent to server to test its ability to recompose them and detect the attacks.
- multipleFailedLogins: tests the ability of the server to track multiple failed logins (e.g. FTP). Makes use of custom rules on Snort and Suricata.
- evasionTechniques: various evasion techniques are used to check if the IDS/IPS can detect them.
- shellCodes: send various shellcodes to the server on port 21/tcp to test the ability of the server to detect/reject shellcodes.
- denialOfService: tests the ability of the IDS/IPS to protect against DoS attempts
- pcapReplay: enables to replay pcap files
It is easily configurable and could integrate new modules in the future.
There are basically 6 types of tests:
- socket: open a socket on a given port and send the payloads to the remote target on that port.
- command: send command to the remote target with the subprocess.call() python function.
- scapy: send special crafted payloads based on the Scapy syntax
- multiple failed logins: open a socket on port 21/tcp (FTP) and attempt to login 5 times with bad credentials.
- client side attacks: use a reverse shell on the remote target and send commands to it to make them processed by the server (typically wget commands).
- pcap replay: enables to replay traffic based on pcap files
- Download: https://downloads.sourceforge.net/pr...ll-1.3.tar.bz2
- Official documentation: http://pytbull.sourceforge.net/?page=documentation
- Demonstration video: http://www.youtube.com/watch?v=_zS1f-F9niw
- Online slides: https://docs.google.com/viewer?a=v&p...NmJjZjUz&hl=en
Since many security professionals like the tool, I'm sure it will be a good idea to include it in BackTrack. Here are some references:
- PentestIT: http://www.pentestit.com/2011/04/30/...ing-framework/
- Darknet.org.uk: http://www.darknet.org.uk/2011/05/py...ing-framework/
- Full Disclosure: http://seclists.org/fulldisclosure/2011/Apr/550
- SecuObs.com: http://secuobs.com/revue/news/301798.shtml
- Emergingemail@example.com: http://permalink.gmane.org/gmane.com...ing-sigs/10718
- Voice of Grey Hat: http://www.voiceofgreyhat.com/2011/0...framework.html
- Vulnerability Database: http://www.vulnerabilitydatabase.com...work-released/
- Information Security Guys: http://www.secguys.com/?p=67
- National Security Alert Italia: http://www.nsai.it/tag/pytbull-ids/
- Astalavista: http://www.astalavista.com/files/fil...-framework-03/
- rootsec Blobgspot: http://r00tsec.blogspot.com/2011/04/...ework-for.html
- packet storm: http://packetstormsecurity.org/files...tbull-1.0.html
Feel free to contact me if you need any further information.
Many thanks in advance for your support and your interest.