A large coverage

Testing an IDS can be a tedious task, it can even become a nightmare... Especially if you test it manually!

Pytbull is automatic and complete.

Pytbull is shipped with about 300 tests grouped in 11 testing modules:

  1. badTraffic: Non RFC compliant packets are sent to the server to test how packets are processed.
  2. bruteForce: tests the ability of the server to track brute force attacks (e.g. FTP). Makes use of custom rules on Snort and Suricata.
  3. clientSideAttacks: this module uses a reverse shell to provide the server with instructions to download remote malicious files. This module tests the ability of the IDS/IPS to protect against client-side attacks.
  4. denialOfService: tests the ability of the IDS/IPS to protect against DoS attempts
  5. evasionTechniques: various evasion techniques are used to check if the IDS/IPS can detect them.
  6. fragmentedPackets: various fragmented payloads are sent to server to test its ability to recompose them and detect the attacks.
  7. ipReputation: tests the ability of the server to detect traffic from/to low reputation servers.
  8. normalUsage: Payloads that correspond to a normal usage.
  9. pcapReplay: enables to replay pcap files
  10. shellCodes: send various shellcodes to the server on port 21/tcp to test the ability of the server to detect/reject shellcodes.
  11. testRules: basic rules testing. These attacks are supposed to be detected by the rules sets shipped with the IDS/IPS.

A comprehensive interface

Pytbull's main interface is based on the command line (CLI). To avoid a long list of arguments, the majority of the options are provided in the configuration file.

During a test campaign, all tests are shown in real time and detailed results can be shown by using the debug option.

Once all tests have been processed, a HTML based report is available.

Adaptability & Flexibility


Pytbull easily adapts to your environment, whatever your IDS/IPS (Snort, Suricata, ...) and your architecture (standalone mode, gateway mode).

There are basically 2 types of architectures:

Depending on the mode you choose, tests are processed differently (e.g. use of a reverse shell in standalone mode to simulate a client that downloads malicious files)


pytbull tests are based on a very comprehensive syntax that enables one to write his/her own tests. Refer to the official documentation for more information.