Pages

SOPHOS XG IPS testing with Pytbull

 


svsv

Scanner               -Sophos-XG                      --- Web server (HTTP/HTTPS)
212.0.210.169      212.0.210.172 (port B) 
                            10.255.255.1 (port C)         10.255.255.172


1) Scanner VM: ubuntu-lts-20-soph-pytbull
https://www.bgasecurity.com/2013/08/ack-kaynak-kodlu-yazlmlar-kullanarak/


212.0.210.169
cd /zzz/pytbull/pytbull-ng-main/source
time /zzz/pytbull/pytbull-ng-main/source/pytbull -t 212.0.210.172  --mode=gateway



2) Sophos XG 18.3 VM: sophos-18.5.3_MR-3.VMW-408_virtual_vm8
Network adapter 1 vlan_0099 ( Port A : https://172.17.99.117:4444/
Network adapter 2 vlan_3098 ( Port B : 212.0.210.172  (+ NAT to 10.255.255.172)
Network adapter 3 vlan_0666 ( Port A : 10.255.255.1


3) Web Server: ubuntu-lts-20-soph-web-server
Network adapter 1 vlan_0666 ( Port A : 10.255.255.172
https://sxg.telco.md/


====================================

./GO-pytbull-scanner
(cd /zzz/pytbull/pytbull-ng-main/source
time /zzz/pytbull/pytbull-ng-main/source/pytbull -t 212.0.210.172  --mode=gateway)

                           __  __          ____                 
              ____  __  __/ /_/ /_  __  __/ / /     ____  ____ _
             / __ \/ / / / __/ __ \/ / / / / /_____/ __ \/ __ `/
            / /_/ / /_/ / /_/ /_/ / /_/ / / /_____/ / / / /_/ / 
           / .___/\__, /\__/_.___/\__,_/_/_/     /_/ /_/\__, /  
          /_/    /____/                                /____/   
           creator of pytbull:    Sebastien Damaye, aldeid.com
           creator of pytbull-ng: Michal Chrobak,   efigo.pl

What would you like to do?
1. Run a new campaign (will erase previous results)
2. View results from previous campaign
3. Exit
Choose an option: 1

(gateway mode)

+------------------------------------------------------------------------+
| pytbull will set off IDS/IPS alarms and/or other security devices      |
| and security monitoring software. The user is aware that malicious     |
| content will be downloaded and that the user should have been          |
| authorized before running the tool.                                    |
+------------------------------------------------------------------------+

BASIC CHECKS
------------
Checking root privileges.........................................[   OK   ]
Checking remote port 80/tcp (HTTP)...............................[   OK   ]
Checking path for sudo...........................................[   OK   ]
Checking path for nmap...........................................[   OK   ]
Checking path for nikto..........................................[   OK   ]
Checking path for niktoconf......................................[   OK   ]
Checking path for hping3.........................................[   OK   ]
Checking path for tcpreplay......................................[   OK   ]
Checking path for ab.............................................[   OK   ]
Checking path for ping...........................................[   OK   ]
Checking path for ncrack.........................................[   OK   ]
Removing temporary file..........................................[   OK   ]
Cleaning database................................................[   OK   ]

TESTS
------------
Client Side Attacks..............................................[   no   ]
Test Rules.......................................................[   no   ]
Bad Traffic......................................................[   yes  ]
Fragmented Packets...............................................[   yes  ]
Brute Force......................................................[   no   ]
Evasion Techniques...............................................[   yes  ]
ShellCodes.......................................................[   no   ]
Denial of Service................................................[   yes  ]
Pcap Replay......................................................[   yes  ]
Normal Usage.....................................................[   yes  ]
IP Reputation....................................................[   yes  ]


BAD TRAFFIC
------------
TEST #1 - [16:25:19-16:35:19] - Nmap Xmas scan........................[  done  ]
TEST #2 - [16:25:24-16:26:24] - Malformed Traffic.....................[  done  ]

FRAGMENTED PACKETS
------------

EVASION TECHNIQUES
------------
TEST #3 - [16:25:28-16:35:28] - Nmap decoy test (6th position)........[  done  ]
TEST #4 - [16:27:56-16:37:56] - Nmap decoy test (7th position)........[  done  ]
TEST #5 - [16:30:22-16:31:22] - Hex encoding..........................[  done  ]
TEST #6 - [16:30:26-16:40:26] - Nmap scan with fragmentation..........[  done  ]
TEST #7 - [16:31:15-16:32:15] - Nikto Random URI encoding.............[  done  ]
TEST #8 - [16:31:36-16:32:36] - Nikto Directory self reference........[  done  ]
TEST #9 - [16:32:11-16:33:11] - Nikto Premature URL ending............[  done  ]
TEST #10 - [16:32:47-16:33:47] - Nikto Prepend long random string.....[  done  ]
TEST #11 - [16:33:23-16:34:23] - Nikto Fake parameter.................[  done  ]
TEST #12 - [16:33:32-16:34:32] - Nikto TAB as request spacer..........[  done  ]
TEST #13 - [16:33:38-16:34:38] - Nikto Change the case of the URL.....[  done  ]
TEST #14 - [16:34:15-16:35:15] - Nikto Windows directory separator....[  done  ]
TEST #15 - [16:34:52-16:35:52] - Nikto Carriage return as request s...[  done  ]
TEST #16 - [16:34:58-16:35:58] - Nikto Binary value as request spac...[  done  ]
TEST #17 - [16:35:06-16:36:06] - Javascript Obfuscation...............[  done  ]

DENIAL OF SERVICE
------------
TEST #18 - [16:35:10-16:36:10] - ApacheBench DoS......................timed out...[  done  ]
TEST #19 - [16:36:14-16:37:14] - hping SYN flood......................[  done  ]

PCAP REPLAY
------------

NORMAL USAGE
------------
TEST #20 - [16:36:19-16:37:19] - ApacheBench 10 requests..............[  done  ]
TEST #21 - [16:36:25-16:37:25] - Standard ping........................[  done  ]

IP REPUTATION
------------
TEST #22 - [16:36:29-16:37:29] - IP Reputation 103.129.98.17..........[  done  ]
TEST #23 - [16:36:33-16:37:33] - IP Reputation 103.253.73.77..........[  done  ]
TEST #24 - [16:36:37-16:37:37] - IP Reputation 103.83.81.144..........[  done  ]
TEST #25 - [16:36:41-16:37:41] - IP Reputation 104.18.36.98...........[  done  ]
TEST #26 - [16:36:45-16:37:45] - IP Reputation 107.175.64.210.........[  done  ]
TEST #27 - [16:36:49-16:37:49] - IP Reputation 108.171.216.194........[  done  ]
TEST #28 - [16:36:53-16:37:53] - IP Reputation 110.4.45.119...........[  done  ]
TEST #29 - [16:36:57-16:37:57] - IP Reputation 184.168.221.43.........[  done  ]
TEST #30 - [16:37:01-16:38:01] - IP Reputation 185.104.45.20..........[  done  ]
TEST #31 - [16:37:05-16:38:05] - IP Reputation 185.174.100.116........[  done  ]

real    11m52.821s
user    0m10.923s
sys     0m3.134s


Sophos XG IPS logs:

Time Log comp Log subtype Username Src IP Dst IP Signature ID Signature name Category Platform Victim Firewall rule Message ID Live PCAP
IPS 6/9/2022 19:30 Signatures Drop 212.0.210.169 10.255.255.172 1122 SERVER-WEBAPP /etc/passwd file access attempt server-webapp Linux Server 6 7002 Open PCAP
IPS 6/9/2022 19:27 Signatures Drop 212.0.210.169 10.255.255.172 2305362 SCAN NMAP Script Scanner scan BSD,Linux,Mac,Other,Solaris,Unix,Windows Server 6 7002 Open PCAP
IPS 6/9/2022 19:27 Signatures Drop 212.0.210.169 10.255.255.172 2305362 SCAN NMAP Script Scanner scan BSD,Linux,Mac,Other,Solaris,Unix,Windows Server 6 7002 Open PCAP
IPS 6/9/2022 19:27 Signatures Drop 212.0.210.169 10.255.255.172 2305362 SCAN NMAP Script Scanner scan BSD,Linux,Mac,Other,Solaris,Unix,Windows Server 6 7002 Open PCAP
IPS 6/9/2022 19:27 Signatures Drop 212.0.210.169 10.255.255.172 2305362 SCAN NMAP Script Scanner scan BSD,Linux,Mac,Other,Solaris,Unix,Windows Server 6 7002 Open PCAP

IPS logs





IPS Reports 1

IPS Reports 2