Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Documentation Search

    Reproducing an Attack

    Reproducing the attack in your lab enables you to generate a context you can analyze to determine the signature elements described in Discovering the Attack Signature. A TCP session must include the TCP three-way handshake in order to generate contexts accurately. You can reproduce attack traffic in one of the following ways:

    Replaying a Packet Capture

    In some cases, the security bulletin that prompts you to guard against a vulnerability includes a packet capture to illustrate traffic that can exploit a vulnerability.

    To reproduce an attack when you have a packet capture:

    1. Copy the filename.pcap file to the IDP Series device /tmp directory.
    2. Open two separate SSH or virtual terminal connections to the IDP CLI (two separate windows).
    3. In one window, enter the following command to start the context capture:

      [user@host]% scio ccap all
    4. In another window, enter the following command to replay the filename.pcap file:

      [user@host]% scio pcap s0 eth0 filename.pcap
    5. Switch to the context capture window. When you are ready to terminate the context capture, press Ctrl-C.
    6. Review the results:

      • If the attack uses service contexts known to the IDP system, the contexts are displayed on the screen. For a reference of known contexts, see Reference: Custom Attack Object Service Contexts.
      • If the attack does not use service contexts known to the IDP system, the results are empty.

    Running Attack Code

    In some cases, the security bulletin that prompts you to guard against a vulnerability includes details of the attack code used to exploit the vulnerability.

    To reproduce an attack when you do not have a packet capture but you do have the attack code:

    1. Copy the attack code to your test lab attacker computer. If necessary, compile the code.
    2. Log in to the IDP Series device CLI and enter the following command to start the context capture:

      [user@host]% scio ccap all
    3. On the test lab victim computer, start a Wireshark capture. Be sure you to specify the interface that receives traffic from the IDP Series device.
    4. On the test lab attacker computer, run the attack code.
    5. Switch to the context capture window. When you are ready to terminate the context capture, press Ctrl-C.
    6. Review the results:

      • If the attack uses service contexts known to the IDP system, the contexts are displayed on the screen. For a reference of known contexts, see Reference: Custom Attack Object Service Contexts.
      • If the attack does not use service contexts known to the IDP system, the results are empty.
    7. On the test lab victim computer, review the Wireshark Captured Frames progress box. The progress box displays a list of services and the number of frame captures for each service. When the capture limits have been met, the progress box closes and Wireshark displays the packet capture. Use Wireshark utilities to analyze and save the packet capture.

    Published: 2011-02-08