Archive > September 2011

How to test Suricata with Pytbull

» 12 September 2011 » In Uncategorized » 1 Comment

Your favourite Intrusion Detection/Prevention System (IDS/IPS) is just installed and running, and you are probably wondering if everything is working as it should, logging or dropping evil packets. Here it comes Pytbull, a python based flexible IDS/IPS testing framework shipped with more than 300 tests, grouped in 9 modules, covering a large scope of attacks (clientSideAttacks, testRules, badTraffic, fragmentedPackets, multipleFailedLogins, evasionTechniques, shellCodes, denialOfService, pcapReplay).

Testing your IDS/IPS with Pytbull will save you a big deal of time!

Lets  assume we have an Ubuntu Linux testing box A with ip address 192.168.1.25 and a Smooth-Sec installation B with ip address192.168.1.1.

On the testing box A 192.168.1.25, install all the required packages and dependencies.


#apt-get install python python-scapy nmap hping3 nikto tcpreplay python-iniparse

Download Pytbull

#wget https://downloads.sourceforge.net/project/pytbull/pytbull-1.3.tar.bz2
#bzip2 -cd pytbull-1.3.tar.bz2 | tar xf -
#cd pytbull

Edit the Pytbull configuration file:

vim config.cfg


#Pytbull config file
[CLIENT]
ipaddr                  = 192.168.1.1 #ip address of the IDS to test.
iface                   = eth0

[PATHS]
report                  = report.html
sudo                    = /usr/bin/sudo
nmap                    = /usr/bin/nmap
nikto                   = /usr/bin/nikto
niktoconf               = /root/pytbull/nikto.conf
hping3                  = /usr/sbin/hping3
tcpreplay               = /usr/bin/tcpreplay
urlpdf                  = http://droid-protector.com/borrar_ya/md5
alertsfile              = /var/log/suricata/fast.log

[CREDENTIALS]
ftpuser                 = pytbull
ftppasswd               = pytbull

Create a nikto configuration file and add the following content


#start nikto configuration file
SKIPPORTS=21 111
USERAGENT=Mozilla/4.75 (Nikto/@VERSION) (Evasions:@EVASIONS) (Test:@TESTID)
RFIURL=http://cirt.net/rfiinc.txt?
NIKTODTD=docs/nikto.dtd
DEFAULTHTTPVER=1.0
UPDATES=yes
MAX_WARN=20
CIRT=174.142.17.165
CHECKMETHODS=HEAD GET
@@MUTATE=dictionary;subdomain
@@DEFAULT=@@ALL;-@@MUTATE;tests(report:500)
#end nikto configuration file

Copy the Pytbull server script (reverse shell) used for client side attacks to the Smooth-Sec box 192.168.1.1:

#scp server/pytbull-server.py root@192.168.1.1:

Define the kind of tests that you want to run against Suricata, please refer to the end of the Pytbull configuration file config.cfg.

0 = disabled
1 = enabled

[TESTS]
clientSideAttacks = 1
testRules = 1
badTraffic = 1
fragmentedPackets = 1
multipleFailedLogins = 1
evasionTechniques = 1
shellCodes = 1
denialOfService = 1
pcapReplay = 1

On the Smooth-Sec box 192.168.1.1 B

#apt-get install vsftpd apache2
#adduser –home /var/log/suricata –shell /bin/bash pytbull
#usermod -G suricata pytbull

Start the reverse shell on the Smooth-Sec box 192.168.1.1


#python pytbull-server.py  --port 34567

                                 _   _           _ _
                     _ __  _   _| |_| |__  _   _| | |
                    | '_ \| | | | __| '_ \| | | | | |
                    | |_) | |_| | |_| |_) | |_| | | |
                    | .__/ \__, |\__|_.__/ \__,_|_|_|
                    |_|    |___/
                       Sebastien Damaye, aldeid.com

Checking root privileges......................................... [   OK   ]
Checking port to use............................................. [   OK   ]

Server started on port: 34567
Listening...

 Run the test from 192.168.1.25 to 192.168.1.1


#python pytbull.py -t 192.168.1.1

                     _ __  _   _| |_| |__  _   _| | |
                    | '_ \| | | | __| '_ \| | | | | |
                    | |_) | |_| | |_| |_) | |_| | | |
                    | .__/ \__, |\__|_.__/ \__,_|_|_|
                    |_|    |___/
                       Sebastien Damaye, aldeid.com

BASIC CHECKS
------------
Checking root privileges......................................... [   OK   ]
Checking remote port 21/tcp (FTP)................................ [   OK   ]
Checking remote port 22/tcp (SSH)................................ [   OK   ]
Checking remote port 80/tcp (HTTP)............................... [   OK   ]
Checking path for sudo........................................... [   OK   ]
Checking path for nmap........................................... [   OK   ]
Checking path for nikto.......................................... [   OK   ]
Checking path for niktoconf...................................... [   OK   ]
Checking path for hping3......................................... [   OK   ]
Checking path for tcpreplay...................................... [   OK   ]
Removing temporary file.......................................... [   OK   ]

TESTS
------------
Client Side Attacks.............................................. [   yes  ]
Test Rules....................................................... [   yes  ]
Bad Traffic...................................................... [   yes  ]
Fragmented Packets............................................... [   yes  ]
Multiple Failed Logins........................................... [   yes  ]
Evasion Techniques............................................... [   yes  ]
ShellCodes....................................................... [   yes  ]
Denial of Service................................................ [   yes  ]
Pcap Replay...................................................... [   yes  ]

-----------------------
DONE. Check the report.
-----------------------

Report view.

On the testing machine 192.168.1.25

cp report.html /var/www/

open http://192.168.1.25 with your web browser

Restore Suricata as it was. (192.168.1.1)

apt-get remove vsftpd apache2
deluser pytbull
rm pytbull-server.py

Did you like this? Share it:
Scridb filter

Continue reading...

Tags: ,