Snort mailing list archives
Re: Generating Network Traffic to Stress Test IDS
From: Jonas Eriksson <je () sekure net>
Date: Fri, 25 Jan 2002 13:47:59 +0100 (CET)
There is also a nice program called ISIC, IP Stack Integrity Checker by Mike Frantzen: http://www.packetfactory.net/Projects/ISIC/ Regards Jonas Eriksson On Fri, 25 Jan 2002, Fernando Miguelez Palomo wrote:
We encountered the same problem when testing performance with a modified version of snort (old one) some months ago. The solution was to code our own injector. We wrote very simple two programs, which I attach: First one is pinj (Packet INJector). You must have installed libpcap and libnet. It is a very simple program that injects traffic from a given tcpdump file into the desired network interface at the wanted rate. Use the Makefile to build it. This program allows you to repeat the same test (with the same traffic) every time you want. The second one is called lambda. This program was written in a hurry modifying one of the examples that come with libnet (so don't expect well organized code and good comments). To compile it you must uncompress the tar.gz file in the examples subdirectory of Libnet and type make (the lambda.tar.gz includes the Makefile that came with libnet for this subdir with one line added to compile lambda). This is very dirty, but don't blame me, I didn't wrote it! I think that usage of this program is not very clear so this is an example of usage: ./lambda -n 500000 -l 12225 -i rl1 -s 192.168.0.1.10 -d 192.168.0.3.50 -m 999 -D 0 -q 0.75 This calls program to inject: (-n 500000) 500,000 packets (-l 12225) at a rate of approximately 12,225 packets per second (-i rl1) into network interface rl1 (this is for FreeBSD, the equivalent in linux is eth1) (-s 192.168.0.1.10) using source IP address 192.168.0.1 with source TCP port 10 (port is optional) (-d 192.168.0.3.50) and destination IP address 192.168.0.3 with destination TCP port 50 (-q 0.75) in about the 75% of the packets (the rest go to dest port 100 (2*50)). (-m 999) The average total size of the packet is 999 bytes (-D 0) and maximum deviation 0 bytes. With this program and many rules of this kind ... alert tcp any any <> any 50(msg:"Alert"; content:"Rammstein";) ...you can test snort performing time consuming analisys over 75% of the traffic load of saturated segment at 100 Mbps (use a hub or switch to connect two machines). One final comment. Although you can use the programs with (at first) any UNIX, I recommend you use FreeBSD as Linux at high rates can not inject all the packets. I hope you find any of these programs useful. Fernando--__--__--Message: 5 Date: Thu, 24 Jan 2002 07:28:17 -0800 (PST) From: Chad Gough <chad131 () yahoo com> To: snort-users () lists sourceforge net Subject: [Snort-users] Generting Network Traffic to Stress Test IDS Does anyone know of any good tools that can generate alot of network traffic to see at what point an IDS starts dropping packets? Thanks, Chad __________________________________________________ Do You Yahoo!? Great stuff seeking new owners in Yahoo! Auctions! http://auctions.yahoo.com
-- Favourite pickup line: Hey baby, wanna synchronize sequence numbers? Warning: not always effective _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Generating Network Traffic to Stress Test IDS Fernando Miguelez Palomo (Jan 25)
- Re: Generating Network Traffic to Stress Test IDS Jonas Eriksson (Jan 25)