Manual General Tripwires Testing
This guide covers manual testing methods for general tripwires when you need to validate actual tripwire functionality in your environment rather than just testing Horizon3 infrastructure.
Customer Environment Impact
Manual testing methods will generate actual activity and events in your customer environment. Unlike the UI testing which only tests Horizon3 infrastructure, manual testing involves real interaction with deployed tripwires and may trigger logging, monitoring, or security systems in your environment.
AWS Credentials File Testing
To manually test AWS credentials tripwires:
- Locate Test Credentials: Identify AWS credentials tripwires deployed in your environment
- Attempt Usage: Try to use the credentials with AWS CLI or SDK tools
- Monitor for Alerts: Check for alerts within 5-10 minutes of the test
- Validate Alert Content: Ensure alerts contain correct source IP and timestamp information
Testing Considerations
Only test with credentials you know are tripwires. Never test with production AWS credentials.
Example Testing Commands
# Example AWS CLI commands to test credentials
aws sts get-caller-identity --profile tripwire-test
aws s3 ls --profile tripwire-test
aws ec2 describe-instances --profile tripwire-test
MySQL Dump File Testing
To test MySQL dump tripwires:
- Identify Test Files: Locate MySQL dump files placed by tripwires
- Import the Dump File: You must actually import the dump file using MySQL version <8.0.23
- Use Appropriate MySQL Version: The tripwire will only trigger with MySQL versions earlier than 8.0.23
- Check DNS Callbacks: Monitor for DNS callback attempts to Horizon3.ai systems
- Verify Alerting: Confirm alerts are generated and properly delivered
MySQL Version Requirement
The MySQL dump tripwire requires importing the file with MySQL version <8.0.23. Simply examining the file contents will not trigger the tripwire - you must perform an actual import operation.
Example Testing Commands
# Check MySQL version (must be <8.0.23)
mysql --version
# Import the tripwire dump file
mysql -u username -p database_name < /path/to/tripwire_dump.sql
# Alternative method
mysql -u username -p
mysql> source /path/to/tripwire_dump.sql;
Windows Process Monitor Testing
To test Windows process monitoring tripwires:
- Access Target System: Connect to a Windows machine with process monitoring tripwires
- Execute Monitored Commands: Run commands like
tasklist
,systeminfo
,netstat
- Monitor Detection: Check for DNS callbacks and alert generation
- Validate Response: Ensure alerts include correct process and system information
Monitored Commands
The following commands are monitored by Windows process monitoring tripwires:
tasklist.exe
certutil.exe
systeminfo.exe
netstat.exe
at.exe
Example Testing Commands
# Execute monitored commands to trigger detection
tasklist
systeminfo
netstat -an
certutil -urlcache -split -f http://example.com/test
at
Testing Best Practices for Manual Testing
Pre-Testing Preparation
- Coordinate with security and IT teams
- Ensure you have proper authorization to perform testing
- Document which tripwires will be tested
- Set up monitoring for expected alerts
- Prepare rollback procedures if needed
During Testing
- Execute one test at a time
- Wait for expected detection before proceeding
- Document exact commands used and timestamps
- Monitor system behavior for unexpected effects
- Record any error messages or failures
Post-Testing Validation
- Verify alerts were generated for each test
- Check alert content for accuracy
- Confirm delivery to all configured endpoints
- Clean up any test artifacts
- Document results and any issues encountered
Troubleshooting Manual Testing
Common Issues
No Alerts Generated
- Verify tripwires are properly deployed and active
- Check network connectivity from test systems
- Confirm monitoring services are operational
- Validate test commands were executed correctly
Incorrect Alert Content
- Check system clock synchronization
- Verify source IP detection is working
- Confirm alert formatting is correct
- Review tripwire configuration
Delayed Alerts
- Network latency may cause delays
- Check for DNS resolution issues
- Verify webhook endpoints are responsive
- Monitor for system resource constraints
When to Use Manual Testing
Manual testing is recommended when:
- You need to validate end-to-end tripwire functionality
- Testing in development or lab environments
- Troubleshooting specific detection issues
- Performing comprehensive security validation
- Training security team on tripwire behavior
When to Avoid Manual Testing
Avoid manual testing when:
- Testing in production environments without proper coordination
- You're unsure which credentials are tripwires
- Network monitoring systems might be triggered
- During business-critical operations
- Without proper documentation and approval