Dr. Patrick Engebretson Mr. Kyle Cronin Dr. Josh Pauli
1. Introductions Introductions 1 2. Why we all need a PAL 3. Building our PAL Building our PAL 3 4. Spray it - don’t say it 5. Community PAL Community PAL 5 6. Bros spraying bros 7. Good night, Black Hat! Good night Black Hat! 7 SprayPAL: How capturing and replaying attack traffic can save your IDS 2
� Dr. Patrick Engebretson � Dr. Patrick Engebretson • Asst. Prof. of Info. Assurance at Dakota State Univ. • Network security � Mr. Kyle Cronin • Doctoral student at Dakota State Univ. • SysAdmin ftw S Ad i ft � Dr. Josh Pauli • Assoc. Prof. of Info. Assurance at Dakota State Univ. • Software Security SprayPAL: How capturing and replaying attack traffic can save your IDS 3
� IDS/IPS need to be tested but shizzle can’t � IDS/IPS need to be tested, but shizzle can t break SprayPAL: How capturing and replaying attack traffic can save your IDS 4
� Not to learn ONLY offensive techniques kids! � Not to learn ONLY offensive techniques, kids! SprayPAL: How capturing and replaying attack traffic can save your IDS 5
� Dr E is a CAPEC fanboi from his research � Dr. E is a CAPEC fanboi from his research � No need to reinvent attack descriptions � Just use them for more than “we just read about � Just use them for more than we just read about attacks and…..” SprayPAL: How capturing and replaying attack traffic can save your IDS 6
� So fresh & so clean � So fresh & so clean � VMs are good too � VMs are good, too � SNORT � Wireshark � BT4 � Victim (various) Vi i ( i ) SprayPAL: How capturing and replaying attack traffic can save your IDS 7
1. Identify CAPEC Attack that you want to model d l 2. Craft Attack Traffic to Mimick CAPEC Att Attack on 'Attacker' k 'Att k ' 3. Ensure SNORT is running with up-to-date ruleset that matches chosen ID from step #1 l t th t t h h ID f t #1 4. Ensure Wireshark is running with no other t traffic captured (clean slate) ffi t d ( l l t ) 5. Execute attack on 'Victim' 5. Execute attack on Victim SprayPAL: How capturing and replaying attack traffic can save your IDS 8
� Easy manipulation � Easy manipulation - who doesn t want that? who doesn’t want that? � Level 2 and 3 of the packets � Level 2 and 3 of the packets SprayPAL: How capturing and replaying attack traffic can save your IDS 9
� One victim? � One victim? � Several victims? � One attack? � Piggy-backed attacks? � Piggy-backed attacks? � You have choices folks � You have choices, folks… SprayPAL: How capturing and replaying attack traffic can save your IDS 10
1 Ensure SNORT rule(s) fired; comment 1. Ensure SNORT rule(s) fired; comment with specific CAPEC ID number 2. Stop and "cleanse" .pcap in Wireshark 2. Stop and cleanse .pcap in Wireshark as needed 3. Save .pcap with the same ID number as p p chosen CAPEC attack 4. Save .pcap in the correct directory to be available to SprayPAL il bl t S PAL 5. Test .pcap in SprayPAL with specific layer 2 & 3 attributes layer 2 & 3 attributes SprayPAL: How capturing and replaying attack traffic can save your IDS 11
Get it while it’s hot, get it while it’s buttered…. , g •Pound it here: http://ia.dsu.edu/spraypal •Pound him here: Pat.Engebretson@dsu.edu SprayPAL: How capturing and replaying attack traffic can save your IDS 12
Epic Fabulous Incredible Hilarious Epic, Fabulous, Incredible, Hilarious, Ridiculous, Remarkable, Excellent, Phenomenal Demo Phenomenal Demo SprayPAL: How capturing and replaying attack traffic can save your IDS 13
? ? � ☺ � SprayPAL: How capturing and replaying attack traffic can save your IDS 14
Recommend
More recommend