Skip to content

Manual General Tripwires Testing

This guide covers manual testing methods for general tripwires when you need to validate actual tripwire functionality in your environment rather than just testing Horizon3 infrastructure.

Customer Environment Impact

Manual testing methods will generate actual activity and events in your customer environment. Unlike the UI testing which only tests Horizon3 infrastructure, manual testing involves real interaction with deployed tripwires and may trigger logging, monitoring, or security systems in your environment.

AWS Credentials File Testing

To manually test AWS credentials tripwires:

  1. Locate Test Credentials: Identify AWS credentials tripwires deployed in your environment
  2. Attempt Usage: Try to use the credentials with AWS CLI or SDK tools
  3. Monitor for Alerts: Check for alerts within 5-10 minutes of the test
  4. Validate Alert Content: Ensure alerts contain correct source IP and timestamp information

Testing Considerations

Only test with credentials you know are tripwires. Never test with production AWS credentials.

Example Testing Commands

# Example AWS CLI commands to test credentials
aws sts get-caller-identity --profile tripwire-test
aws s3 ls --profile tripwire-test
aws ec2 describe-instances --profile tripwire-test

MySQL Dump File Testing

To test MySQL dump tripwires:

  1. Identify Test Files: Locate MySQL dump files placed by tripwires
  2. Import the Dump File: You must actually import the dump file using MySQL version <8.0.23
  3. Use Appropriate MySQL Version: The tripwire will only trigger with MySQL versions earlier than 8.0.23
  4. Check DNS Callbacks: Monitor for DNS callback attempts to Horizon3.ai systems
  5. Verify Alerting: Confirm alerts are generated and properly delivered

MySQL Version Requirement

The MySQL dump tripwire requires importing the file with MySQL version <8.0.23. Simply examining the file contents will not trigger the tripwire - you must perform an actual import operation.

Example Testing Commands

# Check MySQL version (must be <8.0.23)
mysql --version

# Import the tripwire dump file
mysql -u username -p database_name < /path/to/tripwire_dump.sql

# Alternative method
mysql -u username -p
mysql> source /path/to/tripwire_dump.sql;

Windows Process Monitor Testing

To test Windows process monitoring tripwires:

  1. Access Target System: Connect to a Windows machine with process monitoring tripwires
  2. Execute Monitored Commands: Run commands like tasklist, systeminfo, netstat
  3. Monitor Detection: Check for DNS callbacks and alert generation
  4. Validate Response: Ensure alerts include correct process and system information

Monitored Commands

The following commands are monitored by Windows process monitoring tripwires:

  • tasklist.exe
  • certutil.exe
  • systeminfo.exe
  • netstat.exe
  • at.exe

Example Testing Commands

# Execute monitored commands to trigger detection
tasklist
systeminfo
netstat -an
certutil -urlcache -split -f http://example.com/test
at

Testing Best Practices for Manual Testing

Pre-Testing Preparation

  • Coordinate with security and IT teams
  • Ensure you have proper authorization to perform testing
  • Document which tripwires will be tested
  • Set up monitoring for expected alerts
  • Prepare rollback procedures if needed

During Testing

  • Execute one test at a time
  • Wait for expected detection before proceeding
  • Document exact commands used and timestamps
  • Monitor system behavior for unexpected effects
  • Record any error messages or failures

Post-Testing Validation

  • Verify alerts were generated for each test
  • Check alert content for accuracy
  • Confirm delivery to all configured endpoints
  • Clean up any test artifacts
  • Document results and any issues encountered

Troubleshooting Manual Testing

Common Issues

No Alerts Generated

  • Verify tripwires are properly deployed and active
  • Check network connectivity from test systems
  • Confirm monitoring services are operational
  • Validate test commands were executed correctly

Incorrect Alert Content

  • Check system clock synchronization
  • Verify source IP detection is working
  • Confirm alert formatting is correct
  • Review tripwire configuration

Delayed Alerts

  • Network latency may cause delays
  • Check for DNS resolution issues
  • Verify webhook endpoints are responsive
  • Monitor for system resource constraints

When to Use Manual Testing

Manual testing is recommended when:

  • You need to validate end-to-end tripwire functionality
  • Testing in development or lab environments
  • Troubleshooting specific detection issues
  • Performing comprehensive security validation
  • Training security team on tripwire behavior

When to Avoid Manual Testing

Avoid manual testing when:

  • Testing in production environments without proper coordination
  • You're unsure which credentials are tripwires
  • Network monitoring systems might be triggered
  • During business-critical operations
  • Without proper documentation and approval