IDS/IPS测试工具inundator使用方法

http://bailey.st/blog/2010/07/02/inundator-anonymous-ids-evasion/

Inundator: anonymous IDS evasion

5 Replies

Inundator is and IDS evasion tool that can generate  an overwhelming number of false positives while you are performing the attack in order to minimize the detection. One of the main features of inundator is the possibility to send  false attacks anonymously via SOCKS proxy, the use  of Tor is strongly recommended. Other features are  multithread, queue-driven and multiple targets support. The concept beyond Inundator is to read the snort rules and generate packets or traffic from each rule previously parsed, the key of success is the IDS configuration on the target machine, a good configuration will determine if our false attacks are detected or not.

to get and install Inundator go to inundator.sourceforge.net

I tried Inundator against Suricata, and I was amazed to see the false positive attacks filling the Suricata IDS log.

Example:

inundator -r /etc/snort/rules   -p localhost:9050  victim_ip

where -r is the path to the snort rules location
where -p is the SOCKS proxy configuration
and the last argument is the victim ip

On the suricata IDS sensor:

[1:2001219:18] ET SCAN Potential SSH Scan [**]
[Classification: Attempted Information Leak]
[Priority: 3] {6} 173.244.197.210:27041 -> victim_ip

[1:2002995:6] ET SCAN Rapid IMAPS Connections – Possible Brute Force Attack
[**] [Classification: Misc activity]
[Priority: 3] {6}  173.244.197.210:27041  -> victim_ip

[1:2002911:4] ET SCAN Potential VNC Scan 5900-5920
[**] [Classification: Attempted Information Leak]
[Priority: 3] {6} 173.244.197.210:27041 -> victim_ip

Just to double check that the attack was coming from a TOR
exit node i searched the ip 173.244.197.210 on this list.

Not always is a good idea to be quiet.

This entry was posted in Uncategorized and tagged ids, snort, suricata on July 2, 2010.

Post navigation

← Fast-Track 4.0 and Ubuntu 10.04Suricata 1.0.0 setup on Ubuntu 10.04 →

5 thoughts on “Inundator: anonymous IDS evasion”

1. epixoipJuly 5, 2010 at 6:01 pm

   Hey Phillip,

   Thanks for the positive review of Inundator! Tom (itsthel10n) and I are overwhelmed by the amount of positive feedback and number of downloads in the very short amount of time that Inundator has been public. I especially appreciate that you took the time to write your own summation and review of Inundator instead of copying/pasting what’s on the Sourceforge page, thank you very much!

   Glad you are enjoying the application, and I’m even more glad to see that it worked against Suricata and not just Snort!

   Thanks again,
   Jeremi (epixoip)

   Reply ↓
2. pbaileyPost authorJuly 5, 2010 at 6:39 pm

   I tested Inundator against suricata because a multithread application deserve to be tested against another multithread app 

   Best , phillip

   Reply ↓
3. L10nJuly 5, 2010 at 7:14 pm

   That is awesome that it works against suricata, thanks again for the positive review!

   Tom (L10n)

   Reply ↓
4. Manjushree SathishSeptember 14, 2010 at 11:56 pm

   Hello there,

   I am on my way of my MSc Dissertaion under the topic, ” Evaluating Snort NIDS against resistance of FalsePositives” where is it would be necessary for me to generate aas much FalsePositves as possible inorder to check how the real alerts are hidden under these FaslePositives.

   I am using Inundator for the same, but some how cannot get through in generating more than 4 alerts in Snort NIDS through Inundator.

   Following are my settings,

   * Connected 2 machines with Ubuntu Ubuntu 9.10 – the Karmic Koala on them through CISCO 800 Series router with one having Snort NIDS and the other with Inundator 0.5

   * Inundator Version,

   inundator version 0.5, using Perl v5.10.1 on linux
   libnet-socks-perl version: 0.03
   libnet-cidr-perl version: 0.13

   * Following are the alerts which does not seem to change even after many options of Inundator,

   =====================================
   #0-(11-3)
   [local] [snort] COMMUNITY SIP TCP/IP message flooding directed to SIP proxy
   2010-09-15 01:09:20
   10.10.10.4:58639
   10.10.10.6:2605
   TCP

   #1-(11-4)
   [local] [snort] COMMUNITY SIP TCP/IP message flooding directed to SIP proxy
   2010-09-15 01:09:20
   10.10.10.6:17988
   10.10.10.4:58639
   TCP

   #2-(11-1)
   [snort] (portscan) TCP Portscan: 23:587
   2010-09-15 01:09:20
   10.10.10.4
   10.10.10.6
   Raw IP

   #3-(11-2)
   [snort] (portscan) Open Port: 80
   2010-09-15 01:09:20
   10.10.10.4
   10.10.10.6
   Raw IP

   ===================================

   Commands of Inundator tried,

   1) root> inundator -r /etc/snort/rules -p localhost:9050 10.10.10.6

   where, 10.10.10.6 is the victim IP

   2) root> inundator -r /etc/snort/rules -t 50 -p localhost:9050 10.10.10.6

   3) root> inundator 10.10.10.6

   And also,

   Having each Snort NIDS files say ddos.rules,backdoor.rules,chat.rules etc in a folderone at a time, and then calling the rules files by following command,

   5) root> inundator -r /home/manjushree/rules/ -t 50 10.10.10.6

   Inundator comes out with the following message,

   Thread 49 terminated abnormally: Can’t use an undefined value as an ARRAY reference at /usr/bin/inundator line 180.
   [+] parent now attacking.
   [=] press ctrl+\ at any time to stop.

   Can’t use an undefined value as an ARRAY reference at /usr/bin/inundator line 180.
   Perl exited with active threads:
   0 running and unjoined
   49 finished and unjoined
   0 running and detached
   root@manjushree-desktop:~#

   - this seems to be that Inundator is not picking the rules at all , But stil I have the similar alerts by Snort NIDS as mentioned above.

   Please help me as this is the only False Positive generator which I know which generates False Positive with TCP connection established. I need to have some alerts otherwise I would not be able to demonstrate anything…….

   Any changes that you suggest in my network or any setting required?

   Thank you in anticipation of a reply,

   Warm Regards,
   Manjushree Sathish