Auditing IDS with Pytbull

Posted: November 14, 2011 in Guides, Random pontifications
Tags: , , , ,

So you’ve got your fancy new Intrusion Detection System set up, but how do you know it works?

Well if you’re one of the who knows how many Ubuntu users that followed this tutorial and didn’t update your rules from the defaults, then I can tell you it probably doesn’t work well.

What if you’re using a later, or custom set of rules. How do you effectively test your IDS? Thankfully, there is a python app for that. It’s called Pytbull , and it comes by default with Backtrack 5+ (You can install it on pretty much anything with Python though).

Pytbull includes a fully featured framework for IDS testing with over 300 common attacks, divided into 9 modules. It’s essentially a two part application. There is a client (which does the testing) and a server, the server’s purpose is to establish a reverse shell for client-side attack detection.

Configuring the IDS

There are a couple of pre-requisites that must be configured on the IDS/Server that you are testing. We will cover those really quickly. You will need to have at least the following installed on (or behind) the IDS system to be able to test it. FTP, SSH, A Web Server. If you don’t have them on your Ubuntu installed IDS you may do the following to install them

sudo apt-get update && sudo apt-get install apache2 vsftpd openssh-server

*remember to remove them after you’re done with the test if you’re not actually intending to configure and use the services.

In the event that you don’t have Python installed on the IDS/Server that is being tested (the one which will run the reverse shell) you will need it. Under Ubuntu the following will install it.

sudo apt-get install python

Starting the Reverse Shell

At this point we need to copy the Pytbull reverse shell over to the system being tested, and start it. For our purposes here we will be placing it in /opt/pytbull

sudo mkdir /opt/pytbull
cp /opt/pytbull

Once it is copied over we will be able to start our server, the port we are using for the reverse shell is 31337.

python -p 31337

Configuring the Client

Now that we’ve configured the IDS to properly be tested, we will configure our client. In the directory pytbull is installed in (under backtrack this is /pentest/enumeration/ids/pytbull) we will edit the config.cfg file.

Here is an example of what our config.cfg will look like for this test.

#Make these the information for the system running the client
ipaddr                  =
iface                   = eth0

urlpdf                  =
pdfdir                  = pdf
alertsfile              = /var/log/snort/alert

#These may change depending on what you are using as your operating system, they are very different under backtrack
sudo                    = /usr/bin/sudo
nmap                    = /usr/bin/nmap
nikto                   = /data/pentest/scanners/nikto-2.1.4/
niktoconf               = /data/pentest/scanners/nikto-2.1.4/nikto.conf
hping3                  = /usr/sbin/hping3
tcpreplay               = /usr/bin/tcpreplay
localhost               =

#these are your FTP credentials for the IDS
ftpuser                 = dangertux
ftppasswd               = password

sleepbeforegetalerts    = 2
sleepbeforenexttest     = 2
sleepbeforetwoftp       = 2

useproxy                = 0
host                    =
port                    = 8080
user                    =
pass                    =

#reverse shell port
reverseshellport        = 31337

#The tests we want run, these are acceptable however to enable (1) a test or disable (0) a test change the value appropriately.
clientSideAttacks       = 1
testRules               = 1
badTraffic              = 1
fragmentedPackets       = 1
multipleFailedLogins    = 1
evasionTechniques       = 1
shellCodes              = 1
denialOfService         = 0
pcapReplay              = 0

Once you’ve edited the configuration to your liking you may run the scan. By doing the following

python -t

*note : is the IP address of our IDS.

Evaluating The Results

BASE Console

Pytbull report

If you’re using a particularly weak set up like the one I did which followed nothing but the tutorial mentioned earlier you’ll probably notice that a good deal of the “attacks” performed by Pytbull went undetected.

You can view the report from Pytbull in the report directory installed by default, also check your IDS logs as well to make sure that everything matches up.

If you’re somewhat disappointed with your results, in the future I will be discussing writing custom and effective Snort rules, so stay tuned. šŸ™‚

  1. Tushar Kumar says:

    Yes please do write it soon.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s