SOPHOS XG IPS testing with Pytbull

 

svsv

Scanner               -Sophos-XG                      --- Web server (HTTP/HTTPS)

212.0.210.169      212.0.210.172 (port B) 

                            10.255.255.1 (port C)         10.255.255.172

1) Scanner VM: ubuntu-lts-20-soph-pytbull

https://www.bgasecurity.com/2013/08/ack-kaynak-kodlu-yazlmlar-kullanarak/

212.0.210.169

cd /zzz/pytbull/pytbull-ng-main/source

time /zzz/pytbull/pytbull-ng-main/source/pytbull -t 212.0.210.172  --mode=gateway

2) Sophos XG 18.3 VM: sophos-18.5.3_MR-3.VMW-408_virtual_vm8

Network adapter 1 vlan_0099 ( Port A : https://172.17.99.117:4444/

Network adapter 2 vlan_3098 ( Port B : 212.0.210.172  (+ NAT to 10.255.255.172)

Network adapter 3 vlan_0666 ( Port A : 10.255.255.1

3) Web Server: ubuntu-lts-20-soph-web-server

Network adapter 1 vlan_0666 ( Port A : 10.255.255.172

https://sxg.telco.md/

====================================

./GO-pytbull-scanner

(cd /zzz/pytbull/pytbull-ng-main/source

time /zzz/pytbull/pytbull-ng-main/source/pytbull -t 212.0.210.172  --mode=gateway)

                           __  __          ____                 

              ____  __  __/ /_/ /_  __  __/ / /     ____  ____ _

             / __ \/ / / / __/ __ \/ / / / / /_____/ __ \/ __ `/

            / /_/ / /_/ / /_/ /_/ / /_/ / / /_____/ / / / /_/ / 

           / .___/\__, /\__/_.___/\__,_/_/_/     /_/ /_/\__, /  

          /_/    /____/                                /____/   

           creator of pytbull:    Sebastien Damaye, aldeid.com

           creator of pytbull-ng: Michal Chrobak,   efigo.pl

What would you like to do?

1. Run a new campaign (will erase previous results)

2. View results from previous campaign

3. Exit

Choose an option: 1

(gateway mode)

+------------------------------------------------------------------------+

| pytbull will set off IDS/IPS alarms and/or other security devices      |

| and security monitoring software. The user is aware that malicious     |

| content will be downloaded and that the user should have been          |

| authorized before running the tool.                                    |

+------------------------------------------------------------------------+

BASIC CHECKS

------------

Checking root privileges.........................................[   OK   ]

Checking remote port 80/tcp (HTTP)...............................[   OK   ]

Checking path for sudo...........................................[   OK   ]

Checking path for nmap...........................................[   OK   ]

Checking path for nikto..........................................[   OK   ]

Checking path for niktoconf......................................[   OK   ]

Checking path for hping3.........................................[   OK   ]

Checking path for tcpreplay......................................[   OK   ]

Checking path for ab.............................................[   OK   ]

Checking path for ping...........................................[   OK   ]

Checking path for ncrack.........................................[   OK   ]

Removing temporary file..........................................[   OK   ]

Cleaning database................................................[   OK   ]

TESTS

------------

Client Side Attacks..............................................[   no   ]

Test Rules.......................................................[   no   ]

Bad Traffic......................................................[   yes  ]

Fragmented Packets...............................................[   yes  ]

Brute Force......................................................[   no   ]

Evasion Techniques...............................................[   yes  ]

ShellCodes.......................................................[   no   ]

Denial of Service................................................[   yes  ]

Pcap Replay......................................................[   yes  ]

Normal Usage.....................................................[   yes  ]

IP Reputation....................................................[   yes  ]

BAD TRAFFIC

------------

TEST #1 - [16:25:19-16:35:19] - Nmap Xmas scan........................[  done  ]

TEST #2 - [16:25:24-16:26:24] - Malformed Traffic.....................[  done  ]

FRAGMENTED PACKETS

------------

EVASION TECHNIQUES

------------

TEST #3 - [16:25:28-16:35:28] - Nmap decoy test (6th position)........[  done  ]

TEST #4 - [16:27:56-16:37:56] - Nmap decoy test (7th position)........[  done  ]

TEST #5 - [16:30:22-16:31:22] - Hex encoding..........................[  done  ]

TEST #6 - [16:30:26-16:40:26] - Nmap scan with fragmentation..........[  done  ]

TEST #7 - [16:31:15-16:32:15] - Nikto Random URI encoding.............[  done  ]

TEST #8 - [16:31:36-16:32:36] - Nikto Directory self reference........[  done  ]

TEST #9 - [16:32:11-16:33:11] - Nikto Premature URL ending............[  done  ]

TEST #10 - [16:32:47-16:33:47] - Nikto Prepend long random string.....[  done  ]

TEST #11 - [16:33:23-16:34:23] - Nikto Fake parameter.................[  done  ]

TEST #12 - [16:33:32-16:34:32] - Nikto TAB as request spacer..........[  done  ]

TEST #13 - [16:33:38-16:34:38] - Nikto Change the case of the URL.....[  done  ]

TEST #14 - [16:34:15-16:35:15] - Nikto Windows directory separator....[  done  ]

TEST #15 - [16:34:52-16:35:52] - Nikto Carriage return as request s...[  done  ]

TEST #16 - [16:34:58-16:35:58] - Nikto Binary value as request spac...[  done  ]

TEST #17 - [16:35:06-16:36:06] - Javascript Obfuscation...............[  done  ]

DENIAL OF SERVICE

------------

TEST #18 - [16:35:10-16:36:10] - ApacheBench DoS......................timed out...[  done  ]

TEST #19 - [16:36:14-16:37:14] - hping SYN flood......................[  done  ]

PCAP REPLAY

------------

NORMAL USAGE

------------

TEST #20 - [16:36:19-16:37:19] - ApacheBench 10 requests..............[  done  ]

TEST #21 - [16:36:25-16:37:25] - Standard ping........................[  done  ]

IP REPUTATION

------------

TEST #22 - [16:36:29-16:37:29] - IP Reputation 103.129.98.17..........[  done  ]

TEST #23 - [16:36:33-16:37:33] - IP Reputation 103.253.73.77..........[  done  ]

TEST #24 - [16:36:37-16:37:37] - IP Reputation 103.83.81.144..........[  done  ]

TEST #25 - [16:36:41-16:37:41] - IP Reputation 104.18.36.98...........[  done  ]

TEST #26 - [16:36:45-16:37:45] - IP Reputation 107.175.64.210.........[  done  ]

TEST #27 - [16:36:49-16:37:49] - IP Reputation 108.171.216.194........[  done  ]

TEST #28 - [16:36:53-16:37:53] - IP Reputation 110.4.45.119...........[  done  ]

TEST #29 - [16:36:57-16:37:57] - IP Reputation 184.168.221.43.........[  done  ]

TEST #30 - [16:37:01-16:38:01] - IP Reputation 185.104.45.20..........[  done  ]

TEST #31 - [16:37:05-16:38:05] - IP Reputation 185.174.100.116........[  done  ]

real    11m52.821s

user    0m10.923s

sys     0m3.134s

Sophos XG IPS logs:

Time Log comp Log subtype Username Src IP Dst IP Signature ID Signature name Category Platform Victim Firewall rule Message ID Live PCAP

IPS 6/9/2022 19:30 Signatures Drop 212.0.210.169 10.255.255.172 1122 SERVER-WEBAPP /etc/passwd file access attempt server-webapp Linux Server 6 7002 Open PCAP

IPS 6/9/2022 19:27 Signatures Drop 212.0.210.169 10.255.255.172 2305362 SCAN NMAP Script Scanner scan BSD,Linux,Mac,Other,Solaris,Unix,Windows Server 6 7002 Open PCAP

IPS 6/9/2022 19:27 Signatures Drop 212.0.210.169 10.255.255.172 2305362 SCAN NMAP Script Scanner scan BSD,Linux,Mac,Other,Solaris,Unix,Windows Server 6 7002 Open PCAP

IPS 6/9/2022 19:27 Signatures Drop 212.0.210.169 10.255.255.172 2305362 SCAN NMAP Script Scanner scan BSD,Linux,Mac,Other,Solaris,Unix,Windows Server 6 7002 Open PCAP

IPS 6/9/2022 19:27 Signatures Drop 212.0.210.169 10.255.255.172 2305362 SCAN NMAP Script Scanner scan BSD,Linux,Mac,Other,Solaris,Unix,Windows Server 6 7002 Open PCAP

IPS logs

IPS Reports 1

IPS Reports 2