Pytbull: An IDS/IPS Testing Framework

Pytbull is an Intrusion Detection/Prevention System (IDS/IPS)testing framework for Snort and Suricata. We all know the greatness of these two projects. Even though it concentrates on Snort and Suricata, it can possibly be used to test the detection and blocking capabilities of other IDS/IPS also. You can also use it to compare IDS/IPS, or compare their configuration modifications or to simply check/validate configurations. The framework is well equipped with about 300 tests grouped in 8 testing modules, such as:
  • clientSideAttacks: This module uses a reverse shell to provide the server with instructions todownload remote malicious files. It tests the ability of the IDS/IPS to protect against client-side attacks.
  • testRules: It is a basic rules testing module. These attacks are supposed to be detected by the rules sets shipped with the IDS/IPS.
  • badTraffic: This module transmits non RFC compliant packets to the server to test how packets are processed and responded to.
  • fragmentedPackets: This module transmits various fragmented payloads to a server to test its ability to recompose them and detect the attacks.
  • multipleFailedLogins: This module tests the ability of the server to track multiple failed logins (e.g. FTP). It makes use of custom rules on Snort and Suricata.
  • evasionTechniques: This module employs various evasion techniques to check if the IDS/IPS can detect them.
  • shellCodes: This module transmits various shellcodes to the server on port 21/tcp to test the ability of the server to detect/reject shellcodes.
  • denialOfService: This module transmits tests the ability of the IDS/IPS to protect against simple DoS attempts.
Pytbull is easily configurable and could integrate new modules in the future. After downloading you need to edit the config.cfg file that accompanies the tool. It basically contains path information about a few settings and other tools such as NiktoHPING and Snort and Suricata alerts files. You can even prevent a few tests from running. How do you do that? Simply set 0 or 1 in the config.cfg file. As always, 0 means that the test will be ignored and 1 means that it will be added to the tests queue. Pytbull can run basically 5 types of tests:
  • Socket: open a socket on a given port and send the payloads to the remote target on that port.
  • Command: send command to the remote target with the python function.
  • Scapy: send special crafted payloads based on the Scapy syntax
  • Multiple failed logins: open a socket on port 21/TCP (FTP) and attempt to login 5 times with bad credentials.
  • Client side attacks: use a reverse shell on the remote target and send commands to it to make them processed by the server (typically wget commands).
Before running the tests, pytbull will cleverly perform a basic checks too. That’s not all, it also supports reporting! You can also have it report to a custom .html file. Its pre-requisites are:
Download Pytbull v0.3 (pytbull-0.3.tar.bz2here.


Voice Of GREYHAT is a non-profit Organization propagating news specifically related with Cyber security threats, Hacking threads and issues from all over the spectrum. The news provided by us on this site is gathered from various Re-Sources. if any person have some FAQ's in their mind they can Contact Us. Also you can read our Privacy Policy for more info. Thank You ! -Team VOGH
If you enjoyed VOGH News, Articles Then Do Make sure you to Subscribe Our RSS feed. Stay Tuned with VOGH and get Updated about Cyber Security News, Hacking Threads and Lots More. All our Articles and Updates will directly be sent to Your Inbox. Thank You! -Team VOGH

Related Posts Plugin for WordPress, Blogger...