[Snort-users] Generating Network Traffic to Stress Test IDS
je at ...3650...
Fri Jan 25 04:47:04 EST 2002
There is also a nice program called ISIC, IP Stack Integrity Checker
by Mike Frantzen:
On Fri, 25 Jan 2002, Fernando Miguelez Palomo wrote:
> We encountered the same problem when testing performance with a modified
> version of snort (old one) some months ago. The solution was to code our own
> We wrote very simple two programs, which I attach:
> First one is pinj (Packet INJector). You must have installed libpcap and
> libnet. It is a very simple program that injects traffic from a given
> tcpdump file into the desired network interface at the wanted rate. Use
> the Makefile to build it. This program allows you to repeat the same test
> (with the same traffic) every time you want.
> The second one is called lambda. This program was written in a hurry
> modifying one of the examples that come with libnet (so don't expect well
> organized code and good comments). To compile it you must uncompress the
> tar.gz file in the examples subdirectory of Libnet and type make (the
> lambda.tar.gz includes the Makefile that came with libnet for this subdir
> with one line added to compile lambda). This is very dirty, but don't
> blame me, I didn't wrote it!
> I think that usage of this program is not very clear so this is an example
> of usage:
> ./lambda -n 500000 -l 12225 -i rl1 -s 192.168.0.1.10 -d 192.168.0.3.50
> -m 999 -D 0 -q 0.75
> This calls program to inject:
> (-n 500000) 500,000 packets
> (-l 12225) at a rate of approximately 12,225 packets per second
> (-i rl1) into network interface rl1 (this is for FreeBSD, the equivalent
> in linux is eth1)
> (-s 192.168.0.1.10) using source IP address 192.168.0.1 with source TCP
> port 10 (port is optional)
> (-d 192.168.0.3.50) and destination IP address 192.168.0.3 with
> destination TCP port 50
> (-q 0.75) in about the 75% of the packets (the rest go to dest port
> 100 (2*50)).
> (-m 999) The average total size of the packet is 999 bytes
> (-D 0) and maximum deviation 0 bytes.
> With this program and many rules of this kind ...
> alert tcp any any <> any 50(msg:"Alert"; content:"Rammstein";)
> ...you can test snort performing time consuming analisys over 75% of
> the traffic load of saturated segment at 100 Mbps (use a hub or switch to
> connect two machines).
> One final comment. Although you can use the programs with (at first) any
> UNIX, I recommend you use FreeBSD as Linux at high rates can not inject
> all the packets.
> I hope you find any of these programs useful.
> > Message: 5
> > Date: Thu, 24 Jan 2002 07:28:17 -0800 (PST)
> > From: Chad Gough <chad131 at ...131...>
> > To: snort-users at lists.sourceforge.net
> > Subject: [Snort-users] Generting Network Traffic to Stress Test IDS
> > Does anyone know of any good tools that can generate alot of network
> > traffic to see at what point an IDS starts dropping packets?
> > Thanks,
> > Chad
> > __________________________________________________
> > Do You Yahoo!?
> > Great stuff seeking new owners in Yahoo! Auctions!
> > http://auctions.yahoo.com
Favourite pickup line: Hey baby, wanna synchronize sequence numbers?
Warning: not always effective
More information about the Snort-users