Follow

Generate Test Threat Events and Incidents | How To

Description

For many production environments, naturally occurring traffic will generate events and incidents frequently. Environments with low traffic or that are hardened against threat events and incidents, however, may rarely see naturally generated events and incidents. For these environments,  you may want to intentionally generate traffic in order to confirm that Alert Logic® Threat Manager is detecting threat events and incidents.

Solution

Generate Threat Events

There are two ways to intentionally create traffic that will be detected as events and incidents:

  1. If there is a host in the environment that is running a web server, an HTTP/S request can be made against the server with a URL that contains a specific string that will generate an IDS event. The following is the URL that will generate an event:

    http://[webserver name/address]/alertlogic/test/event/58d97f2b9722e4cbebafe57b3084d42c37c1c456df2052d4c3227b9880c32218/

  2. If the host accepts ICMP traffic, utilize the following ping command with a specific string payload to trigger an event:

    sudo hping3 –icmp –e event/93336c1968c7b3c4a9585b7f2cf18d7d18221532eb996b32ad997851f5374230 [hostname/address]

    NOTE: hping3 is a gratis network tool that, among many other things, sends packets with arbitrary payload data.

Within a few minutes of generating the traffic, the events will appear in your Alert Logic console.

Generate Incidents

Generating events will usually be sufficient to ensure that Threat Manager is inspecting traffic and functioning as expected. Steps can be taken to generate incidents, too, however. Utilize the following URLs for requests that can be made against a web server to generate low, medium, high, or critical incidents:

  • Low: http://[webserver]/alertlogic/test/incident/low/580b0377639dc294823f48a460fb21216b96ad4355a4814beefe3a39715e3ca9/

  • Mediumhttp://[webserver]/alertlogic/test/incident/medium/91421a07fb24a88947f9ec44a28fe8df740b36e7bd1f547f03a4a22821d25fe8/

  • Highhttp://[webserver]/alertlogic/test/incident/high/9201b7ef62315ef71ae00a7ff75924440a27998ae6ca503d5e90582f5daa7444/

  • Criticalhttp://[webserver]/alertlogic/test/incident/critical/34c41e091b9b2b0ba821653baa9bcf84cab0fd830b3e366d7394efd26ff3ce79

Utilize the following commands for ICMP traffic to generate low, medium, high, or critical incidents:

  • Lowhttp://[webserver]/alertlogic/test/incident/low/580b0377639dc294823f48a460fb21216b96ad4355a4814beefe3a39715e3ca9/

  • Mediumhttp://[webserver]/alertlogic/test/incident/medium/91421a07fb24a88947f9ec44a28fe8df740b36e7bd1f547f03a4a22821d25fe8/

  • Highhttp://[webserver]/alertlogic/test/incident/high/9201b7ef62315ef71ae00a7ff75924440a27998ae6ca503d5e90582f5daa7444/

  • Criticalhttp://[webserver]/alertlogic/test/incident/critical/34c41e091b9b2b0ba821653baa9bcf84cab0fd830b3e366d7394efd26ff3ce79 
Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.