6 Replies Latest reply on Feb 24, 2017 6:52 AM by secnubs

    Test case for NSP

    secnubs

      Is anyone here have a test case for Mcafee NSP? or have an idea how to create one?.

        • 1. Re: Test case for NSP
          peter.mason

          Hi secnubs,

           

          What exactly are you trying to test?

           

          If you just want to see if the sensor generates alerts you can use a vulnerability scanner to test it.

           

          Regards

           

          Peter

          • 2. Re: Test case for NSP
            secnubs

            I want to create a document in detecting types of Malware, Dos functionalities, Firewall rules and the anomaly checking. I need some example or better the actual test case document of McAfee for NSP will be very helpful.

            • 3. Re: Test case for NSP
              d_aloy

              Hi Secnubs

               

              This is a very high level testing methodology but hope it helps - or it gives you some ideas.

               

              You could go with a very simple testing lab (could be all virtual):

              Ostinato Server, Kali --- Port1 IPS Port2 --- Ubuntu(Apache)

               

              • So on one side you have the attackers: Kali for exploits, Ostinato for Volume DoS testing (if required)
              • On the other side your target, a simple Ubuntu box with an Apache server. On the Apache server /var/www/ directory create a folder named files and place the Artemis Test file, and some other files (i.e. an exe renamed to pdf or similar). The Artemis test file is on https://kc.mcafee.com/corporate/index?page=content&id=KB53733

               

              Configuration before testing:

              • NSM and IPS Sensor DNS settings should be configured to allow DNS lookups.
              • I would suggest to configure a simple syslog server to gather syslog events from FW rules as well, and configure syslog settings on the NSM.
              • On the IPS policy, place an all-inclusive with audit policy on the monitoring port.
              • Configure an Inspection policy and enable all settings for both inbound and outbound (HTTP response it’s important here, just enable everything to be sure)
              • Configure a FW policy to not allow SSH from Kali to Ubuntu.                                                                                         
              • Configure a connection limiting policy to Alert and drop if more than 1 Active telnet session is observed.
              • Configure the antimalware policy to alert on very low malware.
              • On the monitoring port,configure the DoS profile to Detect mode.

              Now on the NSM policy manager, apply all the above policies to your inline test ports and push the update. Once the sensor is updated with the new policy, you are ready to generate the traffic that will trigger the different alerts you want for your doc - take screenshots and of you go.

               

              Some of the tests you could perform:

              • Exploit Alerts - From Kali to Ubuntu - #wget http://ubuntu/cmd.exe
              • Reconnaissance Alerts - From Kali to Ubuntu - #nmap -sV -vvv ubuntu
              • Malware Alerts GTI - From kali to ubuntu - #wget http://ubuntu/files/artemistest.zip
              • Malware Signature alert - From Kali to ubuntu #wget http://ubuntu/files/renamedexetopdf.pdf
              • Dos Learning anomaly - From Kalii to ubuntu #ping -I eth0 -i 0 ubuntuipadddress
              • Dos Learning anomaly - Ostinato to ubuntu - configure Ostinato Server with the specific packets you want to test DoS alerts for (tcp,  udp, etc)
              • FW Rules - From Kali to ubuntu - #ssh user@ubuntu - this should be blocked and syslog alert out to sysloog server from NSM
              • Connection Limiting Alert - From kali to ubuntu - User two terminals and telnet to ubuntu - #telnet ubuntu 23 - will generate alert on the Alert Log (real time threat analyser)

               

              Again, this is very high level but should give you the output you are looking for.

               

              Regards,

              David

              4 of 4 people found this helpful
              • 4. Re: Test case for NSP
                secnubs

                Thanks David,

                 

                I will start building my test case document around your suggestion

                1 of 1 people found this helpful
                • 5. Re: Test case for NSP
                  ciaranr

                  Hi secnubs,

                   

                  Would you mind sharing what you come up with?

                  The information from this thread as been very helpful, I'd like to see what else comes from it.

                   

                  Regards,

                   

                  CR

                  • 6. Re: Test case for NSP
                    secnubs

                    Sure, once done, I'll remember to share it here