Fortinet black logo

Handbook

Starting an IPS HTTP Evasion test

Copy Link
Copy Doc ID 0fc7455d-2de0-11eb-96b9-00505692583a:186773
Download PDF

Starting an IPS HTTP Evasion test

The HTTP Evasion Replay test replays packet tampered through HTTP evasion engine. FortiTester corrupts custom HTTP pcap file according to the selected Evasion Types, then replay such corrupted pcap files to target servers to see if servers have the ability to resist such attack.

It is only available for premium users. You should upgrade this device to FortiGuard Premium Subscription Services to enable this feature.

Before you begin:

  • Optional. If you want to test custom attack traffic, you must create a package of pcap files that can be replayed. Only IPv4 traffic is supported. Follow the file naming convention: Description[_CVE-$CVEID].pcap. Here [] means optional. The file type can be .pcap, .tgz, .tar.gz, or .zip. A .tgz, .tar.gz, or .zip file includes a group of .pcap files. Maximum file size is 200MB. You can upload it, put it into a default or customized group, and the select the group of attack files you want to replay later.
To start an HTTP Evasion test:
  1. Go to Cases > Security Testing > IPS > HTTP Evasion to display the test case summary page.
  2. Click + Create New to display the Select case options dialog box.
  3. In the popup dialog, for the Network Config option, select the network template you have created in Cases > Security Testing > Objects > Networks. Then the network related options will automatically be filled. See Using network configuration templates for how to create a network template.
  4. Select a Certificate Group if applicable.
  5. Click OK to continue.
  6. Configure the test case options described below.
  7. Click Start to run the test case.

FortiTester saves the configuration automatically so you can run the test again later. You can also click Save to save the test case without running it.

Tip: You can also copy an existing case, and change its settings to create a new case. In the case list, click Clone to clone the configuration. Only the case name is different from the original case.

HTTP Evasion Test Case configuration

Settings Guidelines
Basic Information
Name Specify the case name, or just use the default. The name appears in the list of test cases.
Ping Server Timeout If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 0 to 600.
Note: You can disable this end-to-end connectivity test by entering a setting of 0. If the DUT is unable to return packets, it is recommended you do so.
Number of Samples Select the number of samples. The default is 20, which means the web UI will show the last 20 sample data (about 20 seconds) in the test case running page. You can select 20, 60, or 120.

Script Config

Select the script that will run before/after the test. To create a script, see Using script object templates.

Steady Duration Specify the test duration. The default is 10 minutes. The test stops automatically after the duration you specify.
Stopping Status in Second The maximum time out in seconds allotted for FortiTester to close all TCP connections after the test finishes.

DNS Host Group

Select the DNS host group to look up the IP address of a domain name. To create a DNS host group, see Creating DNS host group.

DUT Monitor

Select to monitor a FortiGate device under test (DUT). If selected, you can monitor the DUT from the DUT Monitor tab on the management interface. To create a DUT monitoring, see Using DUT monitoring.

Network Settings
If you have selected a network config template, the network settings automatically inherit the configurations in the template. See Using network configuration templates for the description of network settings.
Load

Loops

Number of times to send the attacks. 0 means as many as possible.

Delay

The period that FortiTester will wait until it sends the next attack.

Replay Time Out This timeout specifies how long the client waits for a response from the server. If the client does not receive a response within the timeout, it considers the packet lost. The default value is 2 milliseconds.
Break Once Packet Lost Select Yes or No. The Yes option means when the system identifies packet loss (the server side has not received the packet that client sent out), it stops the current GTP replay (pcap file), and continues the test with the next GTP file. The No option (the default) means a break is not set; the current replay continues.
Input Pcap Select a pcap file to send. Note the uploaded files can be used for future cases.
Evasion Types Select the evasion types. FortiTester will corrupt custom HTTP pcap file according to the selected Evasion Types.
Random Evasion Enable this option so that FortiTester can randomly call one of the available HTTP evasions.
Client/Server Network
Network MTU The maximum transmission unit size.

Starting an IPS HTTP Evasion test

The HTTP Evasion Replay test replays packet tampered through HTTP evasion engine. FortiTester corrupts custom HTTP pcap file according to the selected Evasion Types, then replay such corrupted pcap files to target servers to see if servers have the ability to resist such attack.

It is only available for premium users. You should upgrade this device to FortiGuard Premium Subscription Services to enable this feature.

Before you begin:

  • Optional. If you want to test custom attack traffic, you must create a package of pcap files that can be replayed. Only IPv4 traffic is supported. Follow the file naming convention: Description[_CVE-$CVEID].pcap. Here [] means optional. The file type can be .pcap, .tgz, .tar.gz, or .zip. A .tgz, .tar.gz, or .zip file includes a group of .pcap files. Maximum file size is 200MB. You can upload it, put it into a default or customized group, and the select the group of attack files you want to replay later.
To start an HTTP Evasion test:
  1. Go to Cases > Security Testing > IPS > HTTP Evasion to display the test case summary page.
  2. Click + Create New to display the Select case options dialog box.
  3. In the popup dialog, for the Network Config option, select the network template you have created in Cases > Security Testing > Objects > Networks. Then the network related options will automatically be filled. See Using network configuration templates for how to create a network template.
  4. Select a Certificate Group if applicable.
  5. Click OK to continue.
  6. Configure the test case options described below.
  7. Click Start to run the test case.

FortiTester saves the configuration automatically so you can run the test again later. You can also click Save to save the test case without running it.

Tip: You can also copy an existing case, and change its settings to create a new case. In the case list, click Clone to clone the configuration. Only the case name is different from the original case.

HTTP Evasion Test Case configuration

Settings Guidelines
Basic Information
Name Specify the case name, or just use the default. The name appears in the list of test cases.
Ping Server Timeout If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 0 to 600.
Note: You can disable this end-to-end connectivity test by entering a setting of 0. If the DUT is unable to return packets, it is recommended you do so.
Number of Samples Select the number of samples. The default is 20, which means the web UI will show the last 20 sample data (about 20 seconds) in the test case running page. You can select 20, 60, or 120.

Script Config

Select the script that will run before/after the test. To create a script, see Using script object templates.

Steady Duration Specify the test duration. The default is 10 minutes. The test stops automatically after the duration you specify.
Stopping Status in Second The maximum time out in seconds allotted for FortiTester to close all TCP connections after the test finishes.

DNS Host Group

Select the DNS host group to look up the IP address of a domain name. To create a DNS host group, see Creating DNS host group.

DUT Monitor

Select to monitor a FortiGate device under test (DUT). If selected, you can monitor the DUT from the DUT Monitor tab on the management interface. To create a DUT monitoring, see Using DUT monitoring.

Network Settings
If you have selected a network config template, the network settings automatically inherit the configurations in the template. See Using network configuration templates for the description of network settings.
Load

Loops

Number of times to send the attacks. 0 means as many as possible.

Delay

The period that FortiTester will wait until it sends the next attack.

Replay Time Out This timeout specifies how long the client waits for a response from the server. If the client does not receive a response within the timeout, it considers the packet lost. The default value is 2 milliseconds.
Break Once Packet Lost Select Yes or No. The Yes option means when the system identifies packet loss (the server side has not received the packet that client sent out), it stops the current GTP replay (pcap file), and continues the test with the next GTP file. The No option (the default) means a break is not set; the current replay continues.
Input Pcap Select a pcap file to send. Note the uploaded files can be used for future cases.
Evasion Types Select the evasion types. FortiTester will corrupt custom HTTP pcap file according to the selected Evasion Types.
Random Evasion Enable this option so that FortiTester can randomly call one of the available HTTP evasions.
Client/Server Network
Network MTU The maximum transmission unit size.