Below are details for each setting found in the Configure beSTORM, Configure Advanced Settings, Configure Behavior, and Configure Monitor Settings menus (these settings are also found in the beSTORM User Guide):


Configure beSTORM

  • Project Name - Specifies the name of the current project. The project name is editable.
  • Number of Parallel Attack Threads - Specifies the number of threads to use during a test. Running a test with multiple threads increases its speed, especially when beSTORM modules wait for a response.
  • Environment Settings - Dynamically displays environment settings for the current module. Settings can vary, depending on the module.


Configure Advanced Settings

  • Starting Saturation Rate Threshold - Specifies the starting saturation rate threshold, which determines the number of tests sent per second. Slide the control to increase the value. The default value is 100.
  • Scale Type- Optimizes testing by specifying the number of combinations sent per Module Buffer Type. Each Scale Type alters the Estimated combination count per Buffer number. The available options are:
    • Base2+/-2 - Sends buffer combinations by +/-2: 2,4,6,8,10,12,14,16, etc.
    • Base2+/-1 - Sends buffer combinations by +/-1: 0,1, 2,3,4,5,7,8,9,15,16,17, etc.
    • Base2 - Sends buffer combinations by 2,4,8,16,32, etc.
    • Base10+/-2 - Sends buffer combinations by +/-2: 10,100,1000,10000, etc.
    • Base10+/-1 - Sends buffer combinations by +/-1: 10,100,1000,10000, etc.
    • Base10 - Sends buffer combinations by 10,100,1000,10000, etc.
    • Serial - Sends buffer combinations by 1, 2, 3, 4, etc. Note: The Serial type is extremely time consuming. Only use this type if your test has no time constraints.
    • Timed - Select this type if you have time constraints for your test to run (that is, beSTORM only has 1 hour, 10 hours, 1 day, etc. to run a test), but want to test all fields regardless. The Timed type spends one second on each field in the first loop (changing the buffer types as usual, but stopping after one second) covering the entire protocol quickly. Then, on the second loop, it spends two seconds on each field, then four seconds, eight seconds, etc., until the allotted time expires. beSTORM will incrementally test more and more of each field until you stop the test manually.
  • Increment Order- Determines the order the module will use to test buffer sizes. The order does not affect the combination count or speed of the test.
    • Normal - Starts with small buffer sizes (for example, 2, 4, 8, 16, etc.) and increases in size as the test runs. This order can possibly find vulnerabilities more precisely as the smallest attack will trigger an issue.
    • Reverse - Starts with larger buffer sizes (for example, 2,000,000) and decreases in size as the test runs. This order can possibly find vulnerabilities earlier in the test.
  • Distributed Testing - Combines the Number of beSTORM copies available and beSTORM copy number settings to allow multiple copies of beSTORM to be in use and testing against the device under test (DUT). While working together, each copy can do 1/n of the tests. For example, if you run two copies of beSTORM in parallel, one copy will do half of the test, and the other copy will do the other half. The two values in this case would show Number of beSTORM copies available as 2 and beSTORM copy number as 1 in one copy of beSTORM, and beSTORM copies available as 2 and beSTORM copy number as 2 in the other copy of beSTORM.
  • Overflow buffers only once - Prevents testing a field in more than one combination. Selecting this setting can reduce testing time. This setting is disabled by default.
  • Allow Fuzzing of conditioned values - Fuzzes conditioned values (for example, length) as regular fields. Disabling this option only tests these values for logical issues (that is, too large length, too small length, negative length, and zero length) and reduces testing time. This setting is selected by default.
  • Debug function in/out to log files - Selecting this setting instructs beSTORM to log additional debug information into a file (for example, received and sent data, function calls (that process the data), etc.), but doing so will severely impact its performance. This setting is disabled by default.


Configure Behavior Settings

  • Interface refresh rate (seconds) - Specifies the user interface refresh rate. The default value is 1 as this is sometimes a labor intensive process, but increasing the value slows down the refresh rate of user interface, which is ideal when beSTORM is run in batch mode and user interaction is expected.
  • Saturation Rate Threshold Optimization - Specifies how your testing speed is determined.
  • Auto Adjust - Optimize CPU usage - Runs your test as quickly as possible, utilizing up to 75% of available CPU bandwidth on the local machine, based on reports from the beSTORM monitor.
  • Fixed Saturation Rate Threshold - Sends a fixed number of tests per second, based on the Starting Saturation Rate Threshold setting under Configure Advanced Settings. Note: beSTORM will attempt to reach and stay at this speed during the test, but the speed may fluctuate at times.
  • Send SMTP (Email) Notifications- To send email notifications to contacts when an event in beSTORM occurs during a fuzzing session, enter the following email information:
    • From - The sender's email address to use with email notifications.
    • To - The email address(es) to send email notifications to (use a comma to separate multiple email addresses).
    • SMTP Server - The IP address of the SMTP server.
    • SMTP Port - The port number of the SMTP server boxes.
    • Notification Types- After entering email addresses and SMTP information, select which types of notifications to send when the corresponding event occurs:
      • Test Started - When fuzzing starts.
      • Test Paused - When fuzzing is paused.
      • Tested Ended - When fuzzing ends.
      • Test Error - When fuzzing experiences an error.
      • Test Failure - When fuzzing fails.
      • Exception Found - When an exception is found during fuzzing.

Configure Monitor Settings

  • Enable Batch Mode - Instructs beSTORM to run in non-interactive mode. In this mode, beSTORM will automatically start, run a test, if an exception is found the test will automatically resume as soon as the device under test responds, and then automatically closes beSTORM once testing is done. This setting is selected by default.
  • Monitor Port Assignment - The beSTORM counterpart for testing is a monitor that either resides on the same computer as the beSTORM Client, or on a different server. Change the default port numbers, if necessary.
    • Hostname or IP address - The hostname or IP address of the monitor.
    • Incoming Command Port - Receives responses from the monitor to the beSTORM Client. The default port number is 6970.
    • Outgoing Command Port - Sends information from the beSTORM Client to the device under test. The default port number is 6971.
    • Incoming Exception Port - Sends exceptions received by the monitor to the beSTORM Client. The default port number is 6969.
  • Enable Monitor Enforcement - Instructs beSTORM to not start or conduct any test until the monitor counterpart reports that it can monitor the device under test.
  • Monitor Type(s)- Specifies the provided monitor type(s)/external monitor to use to verify the remote device under test is functioning by communicating with it using the respective protocol (ARP, ICMP, UDP, and TCP). The available options are:
    • ARP Echo – Attempts to resolve the IP address of the machine tested into a MAC address. Note: ARP Echo works on LAN in a WAN environment where the target is not on the same network/subnet class. An ARP response is received from the Router that connects the two networks, thus causing a false status.
    • ICMP Echo – Attempts to perform an ICMP Echo/ICMP Response test on the remote IP address.
    • UDP Echo – Attempts to verify whether the remote UDP port is open. Note: To properly detect UDP as non-responsive/closed, the Windows Firewall must allow ICMP Destination Unreachable packets to arrive. By default, Windows Firewall blocks such packets.
    • TCP Echo – Attempts to verify whether the remote TCP port is open.
    • External Monitor- The Beyond Security provided monitor, or your own custom monitoring device/program.
    • Monitored IP address - The IP address of the machine to perform monitoring on.
    • Port - The port number of the external monitor (UDP Echo and TCP Echo only). The default value is 1.
    • Interval - The interval to verify the remote device in milliseconds. The default value is 5000.
    • When exception is detected, stop the test for <#> seconds - Specifies the number of seconds to stop the test when an exception is detected. allowing you to take note of it. The default value is 10.
  • Report Connectivity Issues as Exceptions - Select this setting to report connectivity issues with the remote device as an exception. This setting is disabled by default.
  • Number of connectivity failures before reporting back - Specifies the number of failures that need to occur before connectivity issues are reported while Report Connectivity Issues as Exceptions is selected. The default value is 10.
  • Test Fuzzed files by calling beSTORM's Minion - Select this setting to use the beSTORM Minion to test files (for example, DLLs). Refer to https://www.beyondsecurity.com/testing-dll-api-fuzzing-with-bestormfor more information. This setting is disabled by default. The Minion requires the following:
    • beSTORM Minion IP address - The IP address of the Minion.
    • Port - The port number to use with the Minion.
    • beSTORM Minion Password - The password to use with the Minion.
    • Process to Launch (Full Path) - The full path of the process to launch (for example, when testing files are part of an application).