Inundator is and IDS evasion tool that can generate an overwhelming number of false positives while you are performing the attack in order to minimize the detection. One of the main features of inundator is the possibility to send false attacks anonymously via SOCKS proxy, the use of Tor is strongly recommended. Other features are multithread, queue-driven and multiple targets support. The concept beyond Inundator is to read the snort rules and generate packets or traffic from each rule previously parsed, the key of success is the IDS configuration on the target machine, a good configuration will determine if our false attacks are detected or not.
to get and install Inundator go to inundator.sourceforge.net
I tried Inundator against Suricata, and I was amazed to see the false positive attacks filling the Suricata IDS log.
Example:
inundator -r /etc/snort/rules -p localhost:9050 victim_ip
where -r is the path to the snort rules location
where -p is the SOCKS proxy configuration
and the last argument is the victim ip
On the suricata IDS sensor:
[1:2001219:18] ET SCAN Potential SSH Scan [**]
[Classification: Attempted Information Leak]
[Priority: 3] {6} 173.244.197.210:27041 -> victim_ip
[1:2002995:6] ET SCAN Rapid IMAPS Connections – Possible Brute Force Attack
[**] [Classification: Misc activity]
[Priority: 3] {6} 173.244.197.210:27041 -> victim_ip
[1:2002911:4] ET SCAN Potential VNC Scan 5900-5920
[**] [Classification: Attempted Information Leak]
[Priority: 3] {6} 173.244.197.210:27041 -> victim_ip
Just to double check that the attack was coming from a TOR
exit node i searched the ip 173.244.197.210 on this list.
Not always is a good idea to be quiet.
扫一扫
1884
到【灌水乐园】发言
Hey Phillip,
Thanks for the positive review of Inundator! Tom (itsthel10n) and I are overwhelmed by the amount of positive feedback and number of downloads in the very short amount of time that Inundator has been public. I especially appreciate that you took the time to write your own summation and review of Inundator instead of copying/pasting what’s on the Sourceforge page, thank you very much!
Glad you are enjoying the application, and I’m even more glad to see that it worked against Suricata and not just Snort!
Thanks again,
Jeremi (epixoip)
I tested Inundator against suricata because a multithread application deserve to be tested against another multithread app
Best , phillip
That is awesome that it works against suricata, thanks again for the positive review!
Tom (L10n)
Hello there,
I am on my way of my MSc Dissertaion under the topic, ” Evaluating Snort NIDS against resistance of FalsePositives” where is it would be necessary for me to generate aas much FalsePositves as possible inorder to check how the real alerts are hidden under these FaslePositives.
I am using Inundator for the same, but some how cannot get through in generating more than 4 alerts in Snort NIDS through Inundator.
Following are my settings,
* Connected 2 machines with Ubuntu Ubuntu 9.10 – the Karmic Koala on them through CISCO 800 Series router with one having Snort NIDS and the other with Inundator 0.5
* Inundator Version,
inundator version 0.5, using Perl v5.10.1 on linux
libnet-socks-perl version: 0.03
libnet-cidr-perl version: 0.13
* Following are the alerts which does not seem to change even after many options of Inundator,
=====================================
#0-(11-3)
[local] [snort] COMMUNITY SIP TCP/IP message flooding directed to SIP proxy
2010-09-15 01:09:20
10.10.10.4:58639
10.10.10.6:2605
TCP
#1-(11-4)
[local] [snort] COMMUNITY SIP TCP/IP message flooding directed to SIP proxy
2010-09-15 01:09:20
10.10.10.6:17988
10.10.10.4:58639
TCP
#2-(11-1)
[snort] (portscan) TCP Portscan: 23:587
2010-09-15 01:09:20
10.10.10.4
10.10.10.6
Raw IP
#3-(11-2)
[snort] (portscan) Open Port: 80
2010-09-15 01:09:20
10.10.10.4
10.10.10.6
Raw IP
===================================
Commands of Inundator tried,
1) root> inundator -r /etc/snort/rules -p localhost:9050 10.10.10.6
where, 10.10.10.6 is the victim IP
2) root> inundator -r /etc/snort/rules -t 50 -p localhost:9050 10.10.10.6
3) root> inundator 10.10.10.6
And also,
Having each Snort NIDS files say ddos.rules,backdoor.rules,chat.rules etc in a folderone at a time, and then calling the rules files by following command,
5) root> inundator -r /home/manjushree/rules/ -t 50 10.10.10.6
Inundator comes out with the following message,
Thread 49 terminated abnormally: Can’t use an undefined value as an ARRAY reference at /usr/bin/inundator line 180.
[+] parent now attacking.
[=] press ctrl+\ at any time to stop.
Can’t use an undefined value as an ARRAY reference at /usr/bin/inundator line 180.
Perl exited with active threads:
0 running and unjoined
49 finished and unjoined
0 running and detached
root@manjushree-desktop:~#
- this seems to be that Inundator is not picking the rules at all , But stil I have the similar alerts by Snort NIDS as mentioned above.
Please help me as this is the only False Positive generator which I know which generates False Positive with TCP connection established. I need to have some alerts otherwise I would not be able to demonstrate anything…….
Any changes that you suggest in my network or any setting required?
Thank you in anticipation of a reply,
Warm Regards,
Manjushree Sathish