IDSwakeup is a collection of tools that allows to test network intrusion detection systems. The main goal of IDSwakeup is to generate false attack that mimic well known ones, in order to see if NIDS detects them and generates false positives. Like nidsbench, IDSwakeup is being published in the hopes that a more precise testing methodology might be applied to network intrusion detection, which is *still* a black art at best.

Download

This release of IDSwakeup includes:

  • IDSwakeup The main shell script that permits to launch hping2 or iwu. The user just has to choose which attack or set of attacks he or she want to mimic. The user can also fix the TTL to produce short TTL and impact only NIDS and not the servers.
    Usage: ./IDSwakeup <src addr> <dst addr> [nb] [ttl]
    Example: see screenshot.
    IDSwakeup requires hping2.
  • iwu Sends a buffer as a datagram. It allows to change the source address, the destination address, the TTL (in order to produce short TTL). It also takes as parameter the number of times the user wants to send the same datagram.
    Usage: ./iwu <srcIP> <dstIP> <nb> <ttl> <ip-datagram>
    Example: ./iwu 10.0.0.1 20.0.0.2 200 4 \
    "4500 0018 00f2 0003 4011 73db 0101 0101 0202 0202 e63e 4494"

    iwu requires libnet 1.x.

IDSwakeup suite is written by Stéphane Aubert, it is available in a beta version and published under a BSD-style license.

Screenshot ;-) :

# ./IDSwakeup 0 127.0.0.1 1 1 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - IDSwakeup : false positive generator - Stephane Aubert - Hervé Schauer Consultants (c) 2000 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- src_addr:0 dst_addr:127.0.0.1 nb:1 ttl:1
sending :
teardrop ...
sending :
land ...
sending :
get_phf ...
sending :
bind_version ...
sending :
get_phf_syn_ack_get ...
sending :
ping_of_death ...
sending :
syndrop ...
sending :
newtear ...
sending :
X11 ...
sending :
SMBnegprot ...
sending :
smtp_expn_root ...
sending :
finger_redirect ...
sending :
ftp_cwd_root ...
sending :
ftp_port ...
sending :
trin00_pong ...
sending :
back_orifice ...
sending :
msadcs ... 245.146.219.144 -> 127.0.0.1 80/tcp GET /msadc/msadcs.dll HTTP/1.0
sending :
www_frag ... 225.158.207.188 -> 127.0.0.1 80/fragmented-tcp GET /................................... HTTP/1.0 181.114.219.120 -> 127.0.0.1 80/fragmented-tcp GET /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/../cgi-bin/phf HTTP/1.0 sending : www_bestof ... 137.78.167.188 -> 127.0.0.1 80/tcp GET / HTTP/1.0 165.90.83.96 -> 127.0.0.1 80/tcp GET //////// HTTP/1.0 249.174.111.124 -> 127.0.0.1 80/tcp HEAD / HTTP/1.0 101.146.51.80 -> 127.0.0.1 80/tcpHEAD/./ 137.126.215.76 -> 127.0.0.1 80/tcp /cgi-bin\\handler 101.226.235.216 -> 127.0.0.1 80/tcp /cgi-bin\\webdist.cgi 241.70.55.180 -> 127.0.0.1 80/tcp /mlog.phtml ...