Spraypal: How Capturing And Replaying Attack Traffic Can Save Your Ids presented at Blackhat USA 2010

by Patrick Engebretson, Kyle Pauli,

Tags: Security Testing

Summary : Testing Intrusion Detection Systems (IDS) to ensure the most malicious attacks are detected is a cornerstone of these systems, but there is no standardized method to execute these tests. Running live exploitations is not always a viable option – especially when the rule set isn’t finalized, and clients are often nervous about the use of “hacker tools” on their networks. Furthermore, educators struggle to teach IDS concepts as a standalone principle without teaching attack methodologies at the same time. We are releasing two artifacts to help solve these problems. First we introduce PAL, a PCAP Attack Library full of individual pre-captured attack files that can be easily replayed for IDS testing and education. This library is completely preassembled, clean, and extendable to include further additions of attacks. Our initial library is created from the findings in the Common Attack Pattern Enumeration Classification (CAPEC) from the Department of Homeland Security. Second, we introduce SprayPAL, a software tool that we’ve developed to replay the PCAP attack library files. Users can send attacks to a specific target or broadcast to an entire subnet of machines. Additional features include the ability to select individual or multiple simultaneous attacks as well as provide layer 2 and 3 packet level manipulation. We conclude by presenting a methodology for capturing attacks and adding them to the public library. Both our PCAP attack library and SprayPAL tool will be released at Black Hat 2010 to the general public.