defensics是一個(gè)模糊測(cè)試工具，百度百科對(duì)模糊測(cè)試（Fuzzing）的定義是，是一種通過(guò)向目標(biāo)系統(tǒng)提供非預(yù)期的輸入并監(jiān)視異常結(jié)果來(lái)發(fā)現(xiàn)軟件漏洞的方法。它是通過(guò)異常輸入的方式觸發(fā)原來(lái)未知的漏洞。
模糊測(cè)試的測(cè)試用例生成方式有兩種：基于生成和基于變異的?；谧儺惖哪：郎y(cè)試，使用實(shí)際的輸入，通過(guò)隨機(jī)修改樣本或基于樣本結(jié)構(gòu)的方式生成測(cè)試用例。而基于生成的模糊測(cè)試中，需要對(duì)被測(cè)協(xié)議或文件格式有較好的理解，對(duì)被測(cè)協(xié)議或文件格式建立起模型，然后模糊測(cè)試工具根據(jù)模型生成測(cè)試用例，對(duì)協(xié)議功能有一個(gè)完美的覆蓋。
defensics公司的一個(gè)文檔中曾經(jīng)在測(cè)試用例，執(zhí)行時(shí)間和發(fā)現(xiàn)漏洞等方面對(duì)基于生成和基于變異的模糊測(cè)試進(jìn)行了對(duì)比，基于生成的測(cè)試執(zhí)行時(shí)間要短很多，測(cè)試用例數(shù)量要少很多，但是發(fā)現(xiàn)的漏洞數(shù)卻要多很多。
公司利用defencisc主要是做基于TCP/IP協(xié)議模糊測(cè)試?，F(xiàn)階段主要是利用Condenomicon提供的測(cè)試suite來(lái)進(jìn)行的，還未針對(duì)公司內(nèi)部的協(xié)議做模糊測(cè)試。
defensics是由Codenomicon 科諾斯公司提供的，它也提供了常見(jiàn)協(xié)議的test suite，可以到公司網(wǎng)站下載最新的test suite，目前用得比較多的是ARP Server/Client Test Suite，IPv4 test suite，TCP for IPv4 Server/Client Test Suite,ICMPV4 Test Suite等test suite。最多的一個(gè)test suite可能有上百萬(wàn)個(gè)測(cè)試用例，最少的也得上萬(wàn)個(gè)。
defensics主要是針對(duì)協(xié)議，輸入一些變異的，異常的，不合法的協(xié)議數(shù)據(jù)，從而檢驗(yàn)系統(tǒng)對(duì)這些異常數(shù)據(jù)的處理能力。比如將TCP協(xié)議的端口字段增加一個(gè)字節(jié)，TCP協(xié)議的窗口長(zhǎng)度為0等，每個(gè)test suite是針對(duì)一個(gè)協(xié)議的各個(gè)方面的異常數(shù)據(jù)的總和。
如TCP for TPV4 server test suite的組織結(jié)構(gòu)為：
   TCP for TPV4 server test suite：
       active-close   --named group
       wait-close
       SYNACK-Reset
       Established-Reset
       Sockstress
       known-Attacks
       
已經(jīng)出現(xiàn)過(guò)的漏洞的地方往往還存在脆弱點(diǎn)。
如果不確定當(dāng)前被測(cè)試系統(tǒng)是否能支持test suite或者group，可以自動(dòng)掃描是否支持。
如果不用官網(wǎng)提供的test suite，自己很難寫(xiě)出比較全面的系統(tǒng)的模糊測(cè)試用例。
Defensics也是一個(gè)較好的自動(dòng)化測(cè)試工具，所有的測(cè)試用例從運(yùn)行到結(jié)果的顯示到report都是自動(dòng)化的，一個(gè)suite的測(cè)試用例多達(dá)百萬(wàn)個(gè)，如果不能全自動(dòng)的運(yùn)行，也是一件特別傷腦筋的事情。
Defensics可以記錄不用level的log。如valid case and failed case，valid case and anomally messages，debug trace（full logging），no trace等，一般選擇valid case and failed case，如果全部log都保存下來(lái)也需要不少空間啊，關(guān)鍵是分析也費(fèi)勁。
測(cè)試用例運(yùn)行完成之后，在result里面可以看到，如果測(cè)試用例全部通過(guò)，則文件夾標(biāo)記為綠色，如果有測(cè)試用例沒(méi)有通過(guò)，這文件夾標(biāo)記為紅色。
 
result文件夾里主要有三個(gè)文件，main.log, notes.xml和statistics.csv。main.log記錄的是被測(cè)系統(tǒng)和測(cè)試系統(tǒng)之間的數(shù)據(jù)包，點(diǎn)開(kāi)可以看到每個(gè)數(shù)據(jù)包的具體數(shù)據(jù)。statistics.csv里面會(huì)顯示pass和fail的測(cè)試用例，點(diǎn)開(kāi)fail的測(cè)試用例，也可以看到數(shù)據(jù)包并了解數(shù)據(jù)包是在哪里發(fā)生了變異。
 
以下是defensics 11 工具官方給出的main log主要包括哪些內(nèi)容
 Defensics 11 Main log
 
Main - Result view - Main log
Main log
Main log contains detailed test run results, including details of sent and received messages. Main log file is opened to main log viewer that can show details of the file in the viewer component on the right.
Please note that the main log may be a large file in long test runs, depending on the logging settings.
A main log can have the following log entries:
Test case info
The beginning and the end of each test case is logged. Click the test case index line to go to test case documentation. Each test case is given a verdict, usually with some remarks explaining the cause of the verdict.
Messages
Green message line indicates an outgoing message and blue line an incoming message. Message contents may be available by clicking the message line. Use the  'Save to file...'  link to save the message content. For test cases with long overflow anomalies, the content is abbreviated for performance reasons.
Other entries
Test suite specific log entries may be present.
 
note.xml是一個(gè)xml格式的report，里面主要是記錄了測(cè)試系統(tǒng)以及測(cè)試suite等信息。對(duì)分析具體的漏洞我覺(jué)得并沒(méi)有多大用處。
 
 Defensics 11 Notes file
 
Main - Result view - Notes file
Notes file
Notes can be used to store user-supplied information about a test run. Carefully filled notes may improve test run identification and search remarkably. Notes are stored as an XML file notes.xml. Contrast to other files, which are generated by the test driver during the test run, notes file can be edited by user during and also after the test execution.
Information in notes file is organized into key-value pairs. There are some built-in keys, which are used in report generation. However, user can provide any new keys for own use. The built-in keys are described here.
 
Special directory for results
A directory where to test runs result files are placed. Directory structure of result directories with a defined testplan.directory is: result directory/<testplan directory>/suitename/timestamp/<result files>. Key used in xml file: Testplan.Directory.
 
System under test
Name of the System Under Test (SUT). Added to report document. Key used in xml file: SUT.Name
 
Version of the system under test
Version of the System Under Test (SUT). Added to report document. Key used in xml file: SUT.Version
 
Tester name
Name of the tester. Key used in xml file: Tester.Name
 
Tester contact information
Contact information of the tester, such as e-mail address. Key used in xml file: Tester.Contact
 
Name of the test run
Name of the test run is shown in result browser. This will replace the default test run name consisting of date and time. Key used in xml file: Testrun.Name
 
Report name
Name of an generated report document. Key used in xml file: Report.Name
 
Report information
Longer description added to the Executive summary page of a report document. Key used in xml file: Report.Info
 
Used sequence files
Sequence used in the test run. Visible in result browser. Key used in xml file: Testrun.Used.Sequence
 
Continuation of defined testrun
Denotes this test run is resumed from a previous test run defined by the value. Key used in xml file: Testrun.Continuation-of
 
Continues in defined test run
This test continues in test run defined by the value. Key used in xml file: Testrun.Continued-in
 
Auxiliary test run in
Test run has an auxiliary test run in. Key used in xml file: Testrun.Auxiliary-in
 
Type of the test run
Type of test is marked here, possible values are   normal, auxiliary and valid  . Key used in xml file: Testrun.Type
 
Test case selection mode
Test case selection mode is marked here. Possible values are   all, random, %value, first and last  . Key used in xml file: Testrun.Selection.Mode
Notes file is lazily created by GUI when required. The file does not exit, if there has been no need for it!
Templates and Editing
You can edit notes using result browser by clicking the file notes.xml. You can edit values for built-in keys. You can add new keys as well. Changes to the notes are automatically saved.
You can import notes from templates as well. There is a list of saved templates on top of the view. Mouse over a template will show the saved template content. Select a template and click   "Import from template"  . It will overwrite all the editable values. New templates can be defined in   'All' -> 'Notes'   tab of the GUI.
Notes are saved as xml and are editable in external editors too. See more details about the notes xml format
 
還有一個(gè)文件是statistics.csv，這個(gè)文件就是以表格的形式記錄了測(cè)試用例通過(guò)與否等信息。官方文檔有點(diǎn)長(zhǎng)我就不貼了。
 
運(yùn)行完成之后，還可以利用工具生成失敗測(cè)試用例的一個(gè)summary的report。以下是一個(gè)示例。
 
 Test run summary   
 
20140901-0317-03 : TCP for IPv4 Server Test Suite
 
  Overall verdict   
  Overall verdict      FAIL
[   Test case count   ]   1
  Failures    
Verdicts from valid case or external instrumentation
  Analysis tools   
 
  System under test   
  Name   
 
  Version   
 
  Instrumentation methods   
  Valid case instrumentation       ENABLED   
  External instrumentation           DISABLED   
  SNMP instrumentation              DISABLED   
  Instrumentation fail limit           1
  Instrumentation frequency        1
 
  Verdict from valid case instrumentation / connection instrumentation   
  Overall verdict           fail
  Test cases in total    1
  Failed                          1
Passed                        0
  Test execution time   
  Test run started        20140901 03:17:03
  Test run ended         20140901 03:17:13
  Running time           00:00:10
  Average cases per second   
 
  Test setup   
  Name of the tester   
 
  Contact information   
 
  Operating system    Linux i386 3.7-trunk-686-pae
  Java                          1.7.0_25 23.25-b01 mixed mode
   Test suite   
  Name                      TCP for IPv4 Server Test Suite
  Version                  4.2.1
  License                 Licensed to***
  Suite hash            ***
  Options   
  Sequence                                 TCP with HTTP GET payload (in file user/http.seq)
  Test case selection mode      all
  Test run type                             normal
  Options in detail    
...
  Test run analysis   
  Click the links below to perform some advanced analysis of the selected test runs:   
  Denial of Service Analysis    
  Analyze the Denial Of Service (DOS) situations during the failed test cases. The analysis provides an estimate of the vulnerability of SUT for DOS attacks.   
  Response Analysis    
  Find our all different Status responses from the SUT and list them with representative test cases. The analysis provides an overview for SUT behavior and error modes.   
  Slow Test Case Analysis    
  Find the non-failed test cases which running times compared to amount of sent traffic are the longest.   
 
點(diǎn)開(kāi)  Denial of Service Analysis 鏈接之后，里面有更詳細(xì)的在這個(gè)測(cè)試用例時(shí)是否遭受了DoS攻擊的信息。
Response Analysis   列出了被測(cè)系統(tǒng)SUT在失敗的測(cè)試用例執(zhí)行時(shí)返回的不同狀態(tài)。
 
看似測(cè)試已經(jīng)完成，報(bào)告也有了，其實(shí)工作也許做了1/3不到。
 
1.對(duì)所有失敗的測(cè)試用例得重新執(zhí)行一遍。
 
2.檢查每個(gè)測(cè)試用例失敗時(shí)，被測(cè)系統(tǒng)的狀態(tài)并檢查這種狀態(tài)對(duì)于系統(tǒng)來(lái)說(shuō)是否是可以接受的以及這種狀態(tài)帶來(lái)的潛在的風(fēng)險(xiǎn)是什么。
 
3.會(huì)導(dǎo)致DoS的測(cè)試用例，可以再利用DoS工具再測(cè)試一下。
 
對(duì)所有失敗的測(cè)試用例進(jìn)行分析統(tǒng)計(jì)，就可以了解協(xié)議在哪些方面的畸形數(shù)據(jù)處理方面容易出錯(cuò)從而造成嚴(yán)重的安全問(wèn)題。最后提交測(cè)試報(bào)告，提交bug，跟蹤bug狀態(tài)，開(kāi)發(fā)修復(fù)之后還得驗(yàn)證bug等等。