[Snort-devel] legit network-traffic generating tool?

Ravi ravivsn at ...2125...
Thu Apr 29 02:14:21 EDT 2004


  Comments inline
-Ravi

siddharth thakkar wrote:

>Hi Ravi and Everyone,
>
>Pardon my ignorance as a newbie to this area, but as
>far as I get it:
>
>-Nessus would help me generate an "attack" test.
>
Yes

>-HammerHead would help me generate HTTP traffic only
>(again like an "attack" traffic).
>
HammerHead is not to generate attacks particularly. It sends http 
requests. It opens
multiple connections with the server. Only offensive part is, it will 
pump in huge traffic.

>-Nikto & Mutate2: I couldn't understand this quite but
>it again may be in the same "attack"-traffic
>generating tool.
>
Yes

>Rather than these, wouldn't a "background" traffic
>(and not an "attack" traffic) be good to test how much
>my IDS plugin leads to false-positives?
>
I suggest you use tcpdump to collect real time traffic and pump it back 
using tcpreplay2 tool.

>I read a few (open-ended-problems) discussions on
>Neohapsis, but conclusively couldn't find such a tool
>till now.
>
>Please enlighten more and help me :)
>~Siddharth
>
>--- Ravi <ravivsn at ...2125...> wrote:
>  
>
>>Siddharth,
>> To simulate real webtraffic and thereby test Snort
>>plugin use
>>    - nessus, the vulnerability scanner to send
>>attack packets
>>    - HammerHead, a tool that can act as HTTP client
>>and generates huge 
>>traffic at a time. It will stress your network with
>>lots of genuine http 
>>requests. Or you can use hardware boxes like
>>smartbits.
>>    - To send packets to evade IDS, use nikto or
>>Mutate2
>>
>>HTH,
>>Cheers,
>>-Ravi
>>ROCSYS Technologies Ltd.,
>>http://www.rocsys.com
>>
>>
>>
>>siddharth thakkar wrote:
>>
>>    
>>
>>>Hi,
>>>
>>>Just curious if anyone knows some tool or program
>>>which I could use to create "realistic"
>>>network-traffic including some http, ftp, long file
>>>downloads, etc.?  Basically, I need something that
>>>      
>>>
>>can
>>    
>>
>>>simulate real web-activity.  
>>>
>>>I have coded a worm-detecting preprocessor plugin
>>>      
>>>
>>for
>>    
>>
>>>Snort, but I want such a traffic-generating tool to
>>>test how well my Snort plugin detects the kind of
>>>worms its made for...and may be eliminate
>>>false-positives.
>>>
>>>Let me know if anyone knows such a program out
>>>      
>>>
>>there
>>    
>>
>>>which can help stress test my network with such
>>>legitimate traffic (in addition to my worm code
>>>      
>>>
>>which
>>    
>>
>>>I'll be running).
>>>
>>>I'm looking through sourceforge, but haven't
>>>      
>>>
>>noticed
>>    
>>
>>>anything relevant. (except may be
>>>"traffic"/trafserver/trafclient??)
>>>
>>>Thanks in advance,  (hope I explained it well, let
>>>      
>>>
>>me
>>    
>>
>>>know if I haven't :) )
>>>
>>>~Siddharth Thakkar
>>>Univ. of Southern California.
>>>
>>>=====
>>>I don't know half of you half as well as I should
>>>      
>>>
>>like; and I like less 
>>    
>>
>>>than half of you half as well as you deserve.
>>>-- J. R. R. Tolkien, The Fellowship of the Ring
>>>----------------
>>>
>>>
>>>	
>>>		
>>>__________________________________
>>>Do you Yahoo!?
>>>Win a $20,000 Career Makeover at Yahoo! HotJobs  
>>>http://hotjobs.sweepstakes.yahoo.com/careermakeover
>>>      
>>>
>>>      
>>>
>>-------------------------------------------------------
>>    
>>
>>>This SF.Net email is sponsored by: Oracle 10g
>>>Get certified on the hottest thing ever to hit the
>>>      
>>>
>>market... Oracle 10g. 
>>    
>>
>>>Take an Oracle 10g class now, and we'll give you
>>>      
>>>
>>the exam FREE. 
>>
>>http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
>>    
>>
>>>_______________________________________________
>>>Snort-devel mailing list
>>>Snort-devel at lists.sourceforge.net
>>>      
>>>
>>https://lists.sourceforge.net/lists/listinfo/snort-devel
>>    
>>
>>> 
>>>
>>>      
>>>
>>
>>
>>
>>    
>>
>-------------------------------------------------------
>  
>
>>This SF.Net email is sponsored by: Oracle 10g
>>Get certified on the hottest thing ever to hit the
>>market... Oracle 10g. 
>>Take an Oracle 10g class now, and we'll give you the
>>exam FREE. 
>>
>>    
>>
>http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
>  
>
>>_______________________________________________
>>Snort-devel mailing list
>>Snort-devel at lists.sourceforge.net
>>
>>    
>>
>https://lists.sourceforge.net/lists/listinfo/snort-devel
>
>
>=====
>I don't know half of you half as well as I should like; and I like less 
>than half of you half as well as you deserve.
>-- J. R. R. Tolkien, The Fellowship of the Ring
>----------------
>
>
>	
>		
>__________________________________
>Do you Yahoo!?
>Win a $20,000 Career Makeover at Yahoo! HotJobs  
>http://hotjobs.sweepstakes.yahoo.com/careermakeover 
>
>
>-------------------------------------------------------
>This SF.Net email is sponsored by: Oracle 10g
>Get certified on the hottest thing ever to hit the market... Oracle 10g. 
>Take an Oracle 10g class now, and we'll give you the exam FREE. 
>http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
>_______________________________________________
>Snort-devel mailing list
>Snort-devel at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/snort-devel
>
>
>  
>







More information about the Snort-devel mailing list