Garett Montgomery, Sr. Security Research Engineer at Ixia
Sr. Security Research Engineer at Ixia
Blog

Ixia BreakingPoint Strike Lists: Update and FAQ

May 29, 2015 by Garett Montgomery

Since I last wrote about Strike Lists back in 2013, I've fielded quite a few questions about Strike Lists and their usage. Since we've got another canned Strike List that will be added as part of the upcoming ATI-2015-11 Strikepack, I thought now would be a good time to revisit the topic, as well as share some answers to some of the more frequently asked questions.

First, a refresher on some Strike List terms:

  • Canned Strike List: A Strike List that is provided as part of the bi-weekly ATI-Strikepack. (Canned Lists cannot be modified; but they can be copied—at which point they become a Custom List.)
  • Custom List: Any Strike List created by a user.
  • Static Strike List: A Strike List populated by a list of Strike file-paths; these lists are usually not modified.
  • Dynamic (Smart) Strike List: A Strike List populated by search results; search terms can include: keywords, severity (CVSS), protocol, direction, etc. These lists are designed to change—so you'll likely see changes with each new ATI-Strikepack.

Next, a note about deprecation:

The Strike Lists named Strike Level 1-5 are Static Strike Lists. They only contain strikes from 2010 and previous years. They have not been updated in several years, and are really only useful in comparing detection rates for older vulnerabilities (~2006-2010). These lists have been superseded by the Dynamic Strike Lists, named Strike Level 1-3 for the years 2010 going forward.

Starting with 2010, there are three Dynamic Strike Lists for each year, with the naming convention Strike Level <number>, <year> (ie. Strike Level 2, 2014). These Dynamic Strike Lists are populated based on the year of publication, as well as severity of the vulnerability (CVSS score). For example, Strike Level 1, 2012 includes all strikes with CVSS score of 10 published in 2012. If a subsequent ATI-Strikepack includes a strike for 2012, with a CVSS score of 10, it will automatically be included in the Strike List.

Recently Added Strike Lists:

With the release of BPS 3.4, several new canned Strike Lists were added:

  • Strike Variants (https://strikecenter.ixiacom.com/docs/StrikeVariations.pdf):
    • StrikeVariants: All MultiVariant Strikes; Strikes with 2 or more Variants
    • StrikeVariants: Top 10; List of 10 Strikes with the most Variants (6900-326592)
    • StrikeVariants: Fewer Variants; All MultiVariant Strikes, minus the Top 10
  • Fuzzing Strike Lists (fuzzer Strikes)
    • All Protocol Fuzzers, an inclusive list of Strike for fuzzing
    • 14 Protocol-specific Fuzzer Lists (BGP, DNS, FTP, etc.)

New Strike List:

ATI-2015-11 includes an “All One-Way Strikes.” This Strike List includes 1900+ unidirectional strikes. This means they only send traffic from a client—there is no response from a server. This means these strikes are ideally suited for verifying vulnerabilities in real target systems, using One-Arm Testing mode.

Note1: These Strikes can damage vulnerable systems—do not target in production systems.

Note2: For vulnerability (and strike) a targeted system must be vulnerable, and may need additional configuration, in order to be suitable for vulnerability verification.

And finally, some answers:

Q: Which are the best Strike Lists to use?

A: While there is no single List that is best for all environments, some Strike Lists are likely to be applicable in most environments (with current strike count):

  • Microsoft Strikes (all Microsoft-related strikes): 2048
  • Critical Strikes (all Strikes with CVSS 10): 671
  • Important Strikes (all Strikes with CVSS 7-10): 3656
  • New Strikes (a list of the strikes published in the latest ATI-Strikepack): ~20

Q: What is the best way to use a Canned Strike List?

A: The canned Strike Lists published with each ATI represent what we believe to be a logical grouping of relevant strikes. But each environment is different, and so the best way to make use of Canned Strike Lists is probably as a template for your own Custom Strike Lists. By saving a canned Strike List with a new name, it becomes a Custom Strike List and can be edited. Adding additional terms to be searched for is one way to make a canned Strike List more effective in your environment.

Q: How can I get a list of what strikes are in a Strike List?

A: If you just want a glance at which strikes are in a Strike List, or want to know how many Strikes are in the list, you can use the Enhanced Shell* from the command line. Type 'strike members “$STRIKE LIST” where $STRIKE LIST is the name of the Strike List. This will display a numbered list of Strikes in the Strike List.

If you want a file containing a list of strikes—and the above method does not work for you—you can generate an xml-formatted list of strikes by performing a few steps:

  1. From the Managers: Strike Lists page, Search for and Open the Strike List
  2. In the lower right corner, click the orange Add Strike button.
  3. On the following screen, in the upper left corner, make sure the Use as Smart Strike List box is unchecked.

Strike List Dialog

  1. When you are done with that screen, hit okay to return to the Strike List Page
  2. In the lower left of the screen, click the Export button. This will bring up a dialog box (remember to disable any popup-blockers) which will allow you to save the list of strikes. The extension will be .bap, and can be viewed with any text editor.

An enhanced shell is available on StrikeCenter: https://strikecenter.ixiacom.com/esh/install.sh.

And now, some highlights:

And just in case you weren't aware, I thought I would point out some of the more specific canned Strike Lists that are available:

  • Mobile Malware Strikes (for anything related to mobile malware)
  • SCADA Strikes (for anything related to SCADA)
  • We also have a canned Strike List for each month since 2005 that Microsoft hash issued patches (Microsoft Tuesday – YEAR Month), as well as for each year.

Leverage Subscription Service to Stay Ahead of Attacks

The Ixia BreakingPoint Application and Threat Intelligence (ATI) program provides bi-weekly updates of the latest application protocols and attacks for use with Ixia platforms.

Additional Resources:

View Ixia’s Full ATI Protocol List