Posted: Mon Jun 30, 2003 5:56 pm Post subject: Testing IDS rulesets with HPing
This is an addendum to the earlier posted HPing tutorial on packet crafting. This will hopefully show you some more uses of this rather excellent tool. Once again I have only shown some basic probes of an IDS ruleset. You can get as complex as you wish. It also serves as an excellent platform to test out your custom signatures. Anyhow how enough jabbering from me! Read on and hopefully not fall asleep.
The purpose of the following tcpdump traces, snort output, and Hping command line syntax is to demonstrate the value of Hping. It’s crafted packets will allow you to test and confirm your IDS ruleset. Only the tcp protocol was used in testing for the following examples. Though one can get as creative as one wishes with the other supported protocols, and tcp fields under Hping. For the below noted snort output, Snort 2.0 build 72 was used along with the default ruleset.
For ease of viewing and understanding the below noted packets I will give a brief explanation of the fields found within the packet header itself.
Testbox sending crafted packets via Hping is 192.168.2.112
192.168.2.112 sending out a null packet
Command line syntax used for Hping and ensuing output fm Hping
I will now show what happens when a XMAS packet is sent. Once again the above noted format will be used. If you become confused by the meaning of some of the packet
metrics used please see the earlier explanation of the header metrics.
192.168.2.112 sending out a XMAS packet
Command line syntax used for Hping and ensuing output fm Hping
Jun 18 08:05:12 192.168.2.112:1215 -> 192.168.2.113:22 FULLXMAS **UAPRSF
As seen in the above noted examples Hping is very much capable of testing out an IDS ruleset through the use of crafted packets. This is of value for the simple fact that it does confirm unequivocally that your IDS rulesets are triggering to expected stimulus such as the one’s shown above. Hopeuflly some of you will find this somewhat useful.
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum