Loading…
This event has ended. View the official site or create your own event → Check it out
This event has ended. Create your own
View analytic
Thursday, July 29 • 3:15pm - 3:45pm
SprayPAL: How capturing and replaying attack traffic can save your IDS

Sign up or log in to save this to your schedule and see who's attending!

*Times for Tubo Talks are approximate

 

Testing Intrusion Detection Systems (IDS) to ensure the most malicious attacks are detected is a cornerstone of these systems, but there is no standardized method to execute these tests. Running live exploitations is not always a viable option – especially when the rule set isn’t finalized, and clients are often nervous about the use of “hacker tools” on their networks. Furthermore, educators struggle to teach IDS concepts as a standalone principle without teaching attack methodologies at the same time. We are releasing two artifacts to help solve these problems. First we introduce PAL, a PCAP Attack Library full of individual pre-captured attack files that can be easily replayed for IDS testing and education. This library is completely preassembled, clean, and extendable to include further additions of attacks. Our initial library is created from the findings in the Common Attack Pattern Enumeration Classification (CAPEC) from the Department of Homeland Security. Second, we introduce SprayPAL, a software tool that we’ve developed to replay the PCAP attack library files. Users can send attacks to a specific target or broadcast to an entire subnet of machines. Additional features include the ability to select individual or multiple simultaneous attacks as well as provide layer 2 and 3 packet level manipulation. We conclude by presenting a methodology for capturing attacks and adding them to the public library. Both our PCAP attack library and SprayPAL tool will be released at Black Hat 2010 to the general public.


Thursday July 29, 2010 3:15pm - 3:45pm
Day 2 - Turbo Talks

Attendees (33)