Cisco Systems: IPS4360 Test case

Intrusion detection and prevention test
This post demonstrate an example on how to do IPS factory acceptance test.

Test plan parameters example
Product:IPS4360-K9
Serial Number: abcdefg
Date:27/Jan/2013

Purpose: This test is to test the ability for IPS to block malicious when a signature is matched.
Procedure: On the attacker PC launch metasploit. Launch an attack to the victim. Launch Event viewer to view IPS events.
Expected results:
1. Cisco IPS block the attack Pass/Fail
2. IPS events are shown in event viewer Pass/Fail
3. Metasploit attack has timeout Pass/Fail
Remarks:

You modify your procedure and expected results according to which tool you use. The below will demonstrate the attacks and the expected results by Cisco IPS.

Metasploit attacks
This section demonstrates exploit and payload use for testing without IPS.

search for ms08_067_netapi, this exploit works with all service pack of Windows XP, as long as there is RPC dcom port 445 open, this exploit will always work.

search for ms08_067_netapi, this exploit works with all service pack of Windows XP, as long as there is RPC dcom port 445 open, this exploit will always work.

Use the exploit and load the payload.

Use the exploit and load the payload.

set the remote host and local host

set the remote host and local host

Run the exploit. A meterpreter session is created. The victim is pwned.

Run the exploit. A meterpreter session is created. The victim is pwned.

Metasploit attacks dropped by Cisco IPS4360

The source and destination ip addresses are masked out by me.

The source and destination ip addresses are masked out by me.

IPS device deny packets events1

Denial of service attack with hping3
From the attacker’s machine launch hping3 flood.

hping3 --udp --flood 192.168.56.102

open new tab and launch the below command:

hping3 -S --flood 192.168.56.102

Open as many tab as you want to launch multiple of flooding attacks, you should also turn on your Windows XP task manager to monitor the resource usage.

Before flooding.

Before flooding.

When the flooding is on going.

When the flooding is on going.

When Cisco IPS blocks this type of attack, it will fire up the alert and block the attack, your Windows XP will not have constant CPU resource between 88% and 90%, it would be normal like between 0% and 9%.

Cisco IPS denial of service event

Source and destination IP addresses are masked out.

Source and destination IP addresses are masked out.

Other IPS events
This section displays the various IPS events, here you will have an idea on which type of intrusion tools can be fired up by the signatures.
IPS devices all IPS alerts

IPS devices all IPS alerts2

Advertisements
This entry was posted in IDS/IPS, Security and tagged , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s