Re: [Full-disclosure] [Tool] - inundator - an intrusion detection false positives generator.



That is not new and you should give the credits, not just for NNG (http://packetstormsecurity.org/filedesc/nng-4.13r-public.rar.html), but you are missing STICK, SNOT and and IDSWAKEUP as well.

Nelson Brito
Security Researcher
http://fnstenv.blogspot.com/

Sent on an  iPhone wireless device. Please, forgive any potential misspellings!

On Jul 1, 2010, at 10:25 PM, "epixoip" <epixoip@xxxxxxxx> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



homepage: http://inundator.bindshell.nl/
deb repo: deb http://inundator.sourceforge.net/repo/ all/
gpg key : http://inundator.sourceforge.net/inundator.asc

Announcing the release of inundator v0.5!

inundator is a modern twist on an old concept -- it's an
IDS/IPS/WAF evasion tool, used to anonymously flood intrusion
detection systems with false positives in order to obfuscate a real
attack. inundator leverages the vagueness and poor quality of
Snort's rules files to generate completely harmless packets / HTTP
requests that contain just enough keywords to trigger a false
positive. We thought this was an original idea, but it looks like
Snot, fwsnort's snortspoof, and possibly others beat us to the
punch. However, these tools were developed around the turn of the
century, are quite dated and well-forgotten, and overall quite
inferior to inundator.

inundator is full featured, multi-threaded, queue-based, supports
multiple targets, and requires the use of a SOCKS proxy for
anonymization. Via Tor, inundator is capable of generating around
1000 false positives per minute. Via a high-bandwidth SOCKS proxy,
you might be able to generate ten times that amount.

The general idea is one would launch inundator prior to starting an
attack, allow it to run during the attack, and continue to run it a
while longer after you've accomplished the attack. The goal, of
course, is to generate an overwhelming number of false positives so
that your real attack is essentially buried within the other
alerts, minimizing the chance of your attack being detected. It
could also be used to ruin an IDS analyst's day, or keep an
organization's infosec department busy for a while. I suppose it
could also be used to test the effectiveness of an IDS, but no, not
really.

inundator is implemented in Perl (version >= 5.10 is recommended
due to ithreads bugs in previous versions), and has been tested on
Debian Lenny, Debian Squeeze, Ubuntu Jaunty, BackTrack4, and Mac OS
X against Snort v2.8.5.2. It is presumed to work on all POSIX
operating systems. Hell, it might even work on Windows.

/epixoip.



-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at https://www.hushtools.com/verify

wpwEAQMCAAYFAkwtQBUACgkQacHgESW3wZpdIwP+P6LnI4PLGYPOOcoE84PKcVr/4dNu
/T9kXWFqi0WWE9mO5zGo/UqemhBEutjUsxH880i39AnpKVuHroBbuouO3p/9AJ+q6CoJ
z64LBg6mSYzzcrCbBGU1XGxNiNsqhaHc9SIMAYCM1Yj6jbnHrm+lMIzneIuCgRhIJeoj
NlqSahc=
=O9AY
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages