IDS/IPS测试工具inundator使用方法

http://bailey.st/blog/2010/07/02/inundator-anonymous-ids-evasion/


Inundator: anonymous IDS evasion

Inundator is and IDS evasion tool that can generate  an overwhelming number of false positives while you are performing the attack in order to minimize the detection. One of the main features of inundator is the possibility to send  false attacks anonymously via SOCKS proxy, the use  of Tor is strongly recommended. Other features are  multithread, queue-driven and multiple targets support. The concept beyond Inundator is to read the snort rules and generate packets or traffic from each rule previously parsed, the key of success is the IDS configuration on the target machine, a good configuration will determine if our false attacks are detected or not.

to get and install Inundator go to inundator.sourceforge.net

I tried Inundator against Suricata, and I was amazed to see the false positive attacks filling the Suricata IDS log.

Example:

inundator -r /etc/snort/rules   -p localhost:9050  victim_ip

where -r is the path to the snort rules location
where -p is the SOCKS proxy configuration
and the last argument is the victim ip

On the suricata IDS sensor:

[1:2001219:18] ET SCAN Potential SSH Scan [**]
[Classification: Attempted Information Leak]
[Priority: 3] {6} 173.244.197.210:27041 -> victim_ip

[1:2002995:6] ET SCAN Rapid IMAPS Connections – Possible Brute Force Attack
[**] [Classification: Misc activity]
[Priority: 3] {6}  173.244.197.210:27041  -> victim_ip

[1:2002911:4] ET SCAN Potential VNC Scan 5900-5920
[**] [Classification: Attempted Information Leak]
[Priority: 3] {6} 173.244.197.210:27041 -> victim_ip

Just to double check that the attack was coming from a TOR
exit node i searched the ip 173.244.197.210 on this list.

Not always is a good idea to be quiet.

This entry was posted in  Uncategorized and tagged  idssnortsuricata on  July 2, 2010.

Post navigation

 Fast-Track 4.0 and Ubuntu 10.04 Suricata 1.0.0 setup on Ubuntu 10.04 

5 thoughts on “Inundator: anonymous IDS evasion

  1. epixoipJuly 5, 2010 at 6:01 pm

    Hey Phillip,

    Thanks for the positive review of Inundator! Tom (itsthel10n) and I are overwhelmed by the amount of positive feedback and number of downloads in the very short amount of time that Inundator has been public. I especially appreciate that you took the time to write your own summation and review of Inundator instead of copying/pasting what’s on the Sourceforge page, thank you very much!

    Glad you are enjoying the application, and I’m even more glad to see that it worked against Suricata and not just Snort!

    Thanks again,
    Jeremi (epixoip)

    Reply 
  2. pbaileyPost authorJuly 5, 2010 at 6:39 pm

    I tested Inundator against suricata because a multithread application deserve to be tested against another multithread app :-)

    Best , phillip

    Reply 
  3. L10nJuly 5, 2010 at 7:14 pm

    That is awesome that it works against suricata, thanks again for the positive review!

    Tom (L10n)

    Reply 
  4. Manjushree SathishSeptember 14, 2010 at 11:56 pm

    Hello there,

    I am on my way of my MSc Dissertaion under the topic, ” Evaluating Snort NIDS against resistance of FalsePositives” where is it would be necessary for me to generate aas much FalsePositves as possible inorder to check how the real alerts are hidden under these FaslePositives.

    I am using Inundator for the same, but some how cannot get through in generating more than 4 alerts in Snort NIDS through Inundator.

    Following are my settings,

    * Connected 2 machines with Ubuntu Ubuntu 9.10 – the Karmic Koala on them through CISCO 800 Series router with one having Snort NIDS and the other with Inundator 0.5

    * Inundator Version,

    inundator version 0.5, using Perl v5.10.1 on linux
    libnet-socks-perl version: 0.03
    libnet-cidr-perl version: 0.13

    * Following are the alerts which does not seem to change even after many options of Inundator,

    =====================================
    #0-(11-3)
    [local] [snort] COMMUNITY SIP TCP/IP message flooding directed to SIP proxy
    2010-09-15 01:09:20
    10.10.10.4:58639
    10.10.10.6:2605
    TCP

    #1-(11-4)
    [local] [snort] COMMUNITY SIP TCP/IP message flooding directed to SIP proxy
    2010-09-15 01:09:20
    10.10.10.6:17988
    10.10.10.4:58639
    TCP

    #2-(11-1)
    [snort] (portscan) TCP Portscan: 23:587
    2010-09-15 01:09:20
    10.10.10.4
    10.10.10.6
    Raw IP

    #3-(11-2)
    [snort] (portscan) Open Port: 80
    2010-09-15 01:09:20
    10.10.10.4
    10.10.10.6
    Raw IP

    ===================================

    Commands of Inundator tried,

    1) root> inundator -r /etc/snort/rules -p localhost:9050 10.10.10.6

    where, 10.10.10.6 is the victim IP

    2) root> inundator -r /etc/snort/rules -t 50 -p localhost:9050 10.10.10.6

    3) root> inundator 10.10.10.6

    And also,

    Having each Snort NIDS files say ddos.rules,backdoor.rules,chat.rules etc in a folderone at a time, and then calling the rules files by following command,

    5) root> inundator -r /home/manjushree/rules/ -t 50 10.10.10.6

    Inundator comes out with the following message,

    Thread 49 terminated abnormally: Can’t use an undefined value as an ARRAY reference at /usr/bin/inundator line 180.
    [+] parent now attacking.
    [=] press ctrl+\ at any time to stop.

    Can’t use an undefined value as an ARRAY reference at /usr/bin/inundator line 180.
    Perl exited with active threads:
    0 running and unjoined
    49 finished and unjoined
    0 running and detached
    root@manjushree-desktop:~#

    - this seems to be that Inundator is not picking the rules at all , But stil I have the similar alerts by Snort NIDS as mentioned above.

    Please help me as this is the only False Positive generator which I know which generates False Positive with TCP connection established. I need to have some alerts otherwise I would not be able to demonstrate anything…….

    Any changes that you suggest in my network or any setting required?

    Thank you in anticipation of a reply,

    Warm Regards,
    Manjushree Sathish

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值