Inundator
Inundator is a multi-threaded, queue-driven, anonymous intrusion detection false positives generator with support for multiple targets.
At a high level, Inundator builds an attack queue, organized by destination port, by parsing the content: and uricontent: fields from Snort's poorly written pattern-matching rules. Inundator then builds a target queue by peforming a port scan to identify open TCP ports on each target provided by the user. Once the queues have been built, Inundator will launch the requested number of worker threads. Each worker thread will select a random target from the target queue, as well as a random open port on the selected target. A random attack for the selected port will then be selected from the attack queue, and this information is used to build a completely innocent packet or request that contains patterns matching typical intrusion detection rules. The crafted attack will then be sent to the target via a SOCKS proxy (we default to Tor's local proxy.) This procedure is repeated in an infinite loop by each worker thread until the user aborts.
Quite obviously, the actual ruleset used by the target intrusion detection system will play a very large part in whether our crafted attacks trigger a false positive. Inundator will generate an overwhelming number of false positives on systems which use extremely poor pattern matching rules, and little to no false positives on systems which use well written rules, heuristic-based detection, or anomaly-based detection mechanisms.
At a high level, Inundator builds an attack queue, organized by destination port, by parsing the content: and uricontent: fields from Snort's poorly written pattern-matching rules. Inundator then builds a target queue by peforming a port scan to identify open TCP ports on each target provided by the user. Once the queues have been built, Inundator will launch the requested number of worker threads. Each worker thread will select a random target from the target queue, as well as a random open port on the selected target. A random attack for the selected port will then be selected from the attack queue, and this information is used to build a completely innocent packet or request that contains patterns matching typical intrusion detection rules. The crafted attack will then be sent to the target via a SOCKS proxy (we default to Tor's local proxy.) This procedure is repeated in an infinite loop by each worker thread until the user aborts.
Quite obviously, the actual ruleset used by the target intrusion detection system will play a very large part in whether our crafted attacks trigger a false positive. Inundator will generate an overwhelming number of false positives on systems which use extremely poor pattern matching rules, and little to no false positives on systems which use well written rules, heuristic-based detection, or anomaly-based detection mechanisms.
Rating
0 vote
Favoured:
0
Listing Details
Vendor
bindshell.nl
Website
Pricing Model
Open Source
Modified
Never
Owner
Created