[Snort-users] Generating Network Traffic to Stress Test IDS

Jonas Eriksson je at ...3650...
Fri Jan 25 04:47:04 EST 2002


There is also a nice program called ISIC, IP Stack Integrity Checker
by Mike Frantzen:

http://www.packetfactory.net/Projects/ISIC/


Regards
Jonas Eriksson

On Fri, 25 Jan 2002, Fernando Miguelez Palomo wrote:

> 
> We encountered the same problem when testing performance with a modified 
> version of snort (old one) some months ago. The solution was to code our own 
> injector. 
> 
> We wrote very simple two programs, which I attach:
> 
> First one is pinj (Packet INJector). You must have installed libpcap and 
> libnet. It is a very simple program that injects traffic from a given 
> tcpdump file into the desired network interface at the wanted rate. Use 
> the Makefile to build it. This program allows you to repeat the same test 
> (with the same traffic) every time you want.
> 
> The second one is called lambda. This program was written in a hurry 
> modifying one of the examples that come with libnet (so don't expect well 
> organized code and good comments). To compile it you must uncompress the 
> tar.gz file in the examples subdirectory of Libnet and type make (the 
> lambda.tar.gz includes the Makefile that came with libnet for this subdir 
> with one line added to compile lambda). This is very dirty, but don't 
> blame me, I didn't wrote it!
> 
> I think that usage of this program is not very clear so this is an example 
> of usage:
> ./lambda -n 500000 -l 12225 -i rl1 -s 192.168.0.1.10 -d 192.168.0.3.50 
> -m 999 -D 0 -q 0.75
> 
> This calls program to inject:
> (-n 500000) 500,000 packets
> (-l 12225) at a rate of approximately 12,225 packets per second
> (-i rl1) into network interface rl1 (this is for FreeBSD, the equivalent
>                                      in linux is eth1)
> (-s 192.168.0.1.10) using source IP address 192.168.0.1 with source TCP 
>                     port 10 (port is optional)
> (-d 192.168.0.3.50) and destination IP address 192.168.0.3 with 
>                     destination TCP port 50
> (-q 0.75)           in about the 75% of the packets (the rest go to dest port 
>                     100 (2*50)).
> (-m 999)            The average total size of the packet is 999 bytes
> (-D 0)              and maximum deviation 0 bytes.
>                      
> With this program and many rules of this kind ...
> 
> alert tcp any any <> any 50(msg:"Alert"; content:"Rammstein";)
> 
> ...you can test snort performing time consuming analisys over 75% of 
> the traffic load of saturated segment at 100 Mbps (use a hub or switch to 
> connect two machines).   
> 
> One final comment. Although you can use the programs with (at first) any 
> UNIX, I recommend you use FreeBSD as Linux at high rates can not inject 
> all the packets. 
> 
> I hope you find any of these programs useful.
> 
> Fernando
> 
> 
> > 
> --__--__--
> > 
> > Message: 5
> > Date: Thu, 24 Jan 2002 07:28:17 -0800 (PST)
> > From: Chad Gough <chad131 at ...131...>
> > To: snort-users at lists.sourceforge.net
> > Subject: [Snort-users] Generting Network Traffic to Stress Test IDS
> > 
> > Does anyone know of any good tools that can generate alot of network
> > traffic to see at what point an IDS starts dropping packets?
> > 
> > Thanks,
> > Chad
> > 
> > __________________________________________________
> > Do You Yahoo!?
> > Great stuff seeking new owners in Yahoo! Auctions! 
> > http://auctions.yahoo.com
> > 
> 


--
 Favourite pickup line: Hey baby, wanna synchronize sequence numbers?
 Warning: not always effective






More information about the Snort-users mailing list