[Snort-users] Generating Network Traffic to Stress Test IDS

Fernando Miguelez Palomo jtbmipaf at ...4632...
Fri Jan 25 01:56:02 EST 2002


We encountered the same problem when testing performance with a modified 
version of snort (old one) some months ago. The solution was to code our own 
injector. 

We wrote very simple two programs, which I attach:

First one is pinj (Packet INJector). You must have installed libpcap and 
libnet. It is a very simple program that injects traffic from a given 
tcpdump file into the desired network interface at the wanted rate. Use 
the Makefile to build it. This program allows you to repeat the same test 
(with the same traffic) every time you want.

The second one is called lambda. This program was written in a hurry 
modifying one of the examples that come with libnet (so don't expect well 
organized code and good comments). To compile it you must uncompress the 
.tar.gz file in the examples subdirectory of Libnet and type make (the 
lambda.tar.gz includes the Makefile that came with libnet for this subdir 
with one line added to compile lambda). This is very dirty, but don't 
blame me, I didn't wrote it!

I think that usage of this program is not very clear so this is an example 
of usage:
./lambda -n 500000 -l 12225 -i rl1 -s 192.168.0.1.10 -d 192.168.0.3.50 
-m 999 -D 0 -q 0.75

This calls program to inject:
(-n 500000) 500,000 packets
(-l 12225) at a rate of approximately 12,225 packets per second
(-i rl1) into network interface rl1 (this is for FreeBSD, the equivalent
                                     in linux is eth1)
(-s 192.168.0.1.10) using source IP address 192.168.0.1 with source TCP 
                    port 10 (port is optional)
(-d 192.168.0.3.50) and destination IP address 192.168.0.3 with 
                    destination TCP port 50
(-q 0.75)           in about the 75% of the packets (the rest go to dest port 
                    100 (2*50)).
(-m 999)            The average total size of the packet is 999 bytes
(-D 0)              and maximum deviation 0 bytes.
                     
With this program and many rules of this kind ...

alert tcp any any <> any 50(msg:"Alert"; content:"Rammstein";)

...you can test snort performing time consuming analisys over 75% of 
the traffic load of saturated segment at 100 Mbps (use a hub or switch to 
connect two machines).   

One final comment. Although you can use the programs with (at first) any 
UNIX, I recommend you use FreeBSD as Linux at high rates can not inject 
all the packets. 

I hope you find any of these programs useful.

Fernando


> 
--__--__--
> 
> Message: 5
> Date: Thu, 24 Jan 2002 07:28:17 -0800 (PST)
> From: Chad Gough <chad131 at ...131...>
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Generting Network Traffic to Stress Test IDS
> 
> Does anyone know of any good tools that can generate alot of network
> traffic to see at what point an IDS starts dropping packets?
> 
> Thanks,
> Chad
> 
> __________________________________________________
> Do You Yahoo!?
> Great stuff seeking new owners in Yahoo! Auctions! 
> http://auctions.yahoo.com
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pinj.tar.gz
Type: application/octet-stream
Size: 1936 bytes
Desc: 
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20020125/bf560f5e/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: lambda.tar.gz
Type: application/octet-stream
Size: 4172 bytes
Desc: 
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20020125/bf560f5e/attachment-0001.obj>


More information about the Snort-users mailing list