Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Documentation Search

    Setting Up a Test Lab for Custom Attack Objects

    This topic includes the following sections:

    Guidelines

    We recommend that you test and fine-tune custom attack objects in a laboratory environment that is not connected to your corporate network.

    Topology

    Figure 1 shows an example lab topology.

    Figure 1: Custom Attack Object Test Lab

    Image g036677.gif

    Requirements

    Table 1 describes the purpose of test lab components.

    Table 1: Test Lab Components

    Component

    Purpose

    Attacker computer

    You use packet generation tools to run exploit code from the attacker computer to the victim computer.

    Victim computer

    You use a packet capture utility, such as Wireshark, to capture packets received by victim computer.

    IDP device

    You use the scio ccap context capture utility (included with IDP OS software) to discover the attack context and pattern.

    We recommend you use IDP OS Release 5.1 or later.

    NSM server/client

    You use the NSM object editor to create and test the custom attack object.

    We recommend you use NSM 2010.4 or later.

    Hub or switch

    Typically, you deploy an IDP device in transparent mode between a switch and a firewall. Alternatively, you can deploy the IDP device in sniffer mode, connected only to the SPAN port of a switch. We recommend you experiment with both deployment possibilities.

    Packet Capture and Replay Tools

    Table 2 describes packet capture and replay tools you use to reproduce the attack.

    Table 2: Packet Capture and Replay Tools

    Tool

    Description

    scio ccap

    An IDP OS scio utility. Use scio ccap to capture attack contexts.


    [root@defaulthost ~]# scio ccap
    Usage: scio ccap <ccap-command> [arguments...]
      ccap-commands:
        all : Capture all contexts
        sip <ipaddr>[/length]: Capture contexts for sessions from <ipaddr>[/length]
        dip <ipaddr>[/length]: Capture contexts for sessions to <ipaddr>[/length]
        svc <service>: Capture contexts for sessions that match <service>
    

    Keep the following notes in mind:

    • Issuing the scio ccap command starts context collection. Press Ctrl-C to end context collection.
    • Use standard Linux redirect-to-file syntax to direct screen ouput to a file (for example, scio ccap > file.txt). Otherwise, results are sent to the screen.

    You can use the all option in lab environment, where you can control the network traffic. In a production environment, results using all are likely unmanageable, so we recommend you use the sip or dip option to capture the contexts for traffic that has a specific source or destination.

    scio pcap

    An IDP OS scio utility. Use scio pcap to replay a packet capture file.


    [root@defaulthost ~]# scio pcap
    Usage: scio pcap <subs-name> <vc-name> <file> [command [<options>]]
      commands:
        filter <options>: specify tcpdump style filtering options
        start <options>: specify packet number to start at and count of packets
        instrument : instrument ids pattern matching
    

    For best results:

    • Stop the Profiler service before running the scio pcap utility. To do this, use the profiler.sh stop command. To restore the Profiler service, use the profiler.sh restart command.
    • When you replay packet captures, allow 30 seconds to elapse between scio pcap commands.

    Wireshark

    Wireshark is a popular program used to analyze network traffic. You can use Wireshark to create and view packet captures. For more information about Wireshark, see http://www.wireshark.org/.

    Tcpreplay

    Tcpreplay is a set of BSD-licensed packet replay utilities. For more information about Tcpreplay, see http://tcpreplay.synfin.net/.

    tcpdump

    Linux-based version of the commonly used packet capture utility. On IDP Series devices, you can use tcpdump to capture packets received (Rx packets) by the device.


    [root@defaulthost ~]# man tcpdump
    Formatting page, please wait...
    TCPDUMP(8)                                                          TCPDUMP(8)
    
    NAME
           tcpdump - dump traffic on a network
    
    SYNOPSIS
           tcpdump [ -AdDeflLnNOpqRStuUvxX ] [ -c count ]
                   [ -C file_size ] [ -F file ]
                   [ -i interface ] [ -m module ] [ -M secret ]
                   [ -r file ] [ -s snaplen ] [ -T type ] [ -w file ]
                   [ -W filecount ]
                   [ -E spi@ipaddr algo:secret,...  ]
                   [ -y datalinktype ] [ -Z user ]
                   [ expression ]
    

    jnetTcpdump

    An IDP OS Release 5.1 utility. Capable of capturing both Rx and Tx packets. The following example starts listening on eth4 for packets with destination IP address 4.0.0.4:


    [root@localhost ~]# jnetTcpdump -i eth4 -f 4.0.0.4 dst
    jnetPassiveAttach done
    jnet tcpdump Started on eth4 for both Receive & Transmit side
    Filter enabled - Host:4.0.0.4 as dst
    0 50 56 a4 21 6c 0 50 56 a4 d 9 8 0 45 0 0 54 0 0 40 0 40 1 32 a3 4 0 0 3 4 0 0 4 8 0 55 8e 8e 4f 0 0
    ba 9f 3e 4d 21 32 f 0 8 9 a b c d e f 10 11 12 13 14 15
    0 50 56 a4 21 6c 0 50 56 a4 d 9 8 0 45 0 0 54 0 0 40 0 40 1 32 a3 4 0 0 3 4 0 0 4 8 0 97 88 8e 4f 0 1
    
    bb 9f 3e 4d de 36 f 0 8 9 a b c d e f 10 11 12 13 14 15
    Done...No of Packet Captured is 2
    No of Packets filtered-out 2
    

    Published: 2011-02-08