Sneeze v 1.0 released--Snort false-positive generator in Perl

[Don Bailey <baileydl () mitre org>]

Hi all,

I needed an easy-to-control false-positive generator (didn't care too
much for stick, snot, or IDSWakeup) so Cazz and I wrote one in Perl this
past Friday.  It's called Sneeze, and we like to refer to it as
"stick-that-doesn't-suck."  Future revision 1.1 should support more
accurate and custom packets, random spoofed source, and quiet / verbose
mode among other things.  For now, it seems to get the job done and is
fun to play with.  Requires Net::RawIP Perl module.  Download Sneeze
today from:

http://snort.sourceforge.net/sneeze-1.0.tar

Take a look and someone let me know how it works for IDS testing, etc. 
Thanks.  

Sincerely,

Don

P.S.--some of the README is below for more info on Sneeze.   
--
Don Bailey
Senior INFOSEC Engineer/Scientist
Secure Information Technology
The MITRE Corporation
(703) 883-6230

Portions of the README follow:

sneeze.pl v 1.0 - a Snort false-positive generator written in perl

Introduction
------------
 
Sneeze is a Snort false-positive generator written in perl.  It will
read
normal Snort rules files, parse them, and generate packets that will
hope-
fully trigger those same rules.  Sneeze can be configured to use
specific
network devices, source ports, spoofed IPs, as well as loop a specified
amount of times or forever.  Sneeze provides a way to safely test an IDS
in
a controlled manner and provides useful output to track what you are
sending
as triggers.  Sneeze has been tested with Snort 1.8 and its rules.
 
Further below are instructions for installing Sneeze if you're tired of
reading already.

Installation & Usage
--------------------
 
Sneeze requires the Perl module Net::RawIP.  You can obtain this module
from:
 
http://www.cpan.org/modules/by-module/Net/
 
Once you have Net::RawIP installed, simply run sneeze.pl against a
target ip
using a snort rules file as input.  Like this:
 
/sneeze.pl -d 192.168.0.1 -f exploit.rules
 
Sneeze understands "includes" in rules files, and will recursively use
all rulesa snort rules file points to.

Sneeze can spoof source IP and port (when appropriate).  So if you knew
of a
stupid firewall that let all traffic source 53 come in from
www.resolve.com,
you could do something like this to get through the firewall and wakeup
the
IDS analysts on the other side:
 
/sneeze.pl -d 192.168.0.1 -f exploit.rules -s www.resolve.com -p 53
 
Sneeze normally only goes through a rules file once and generates that
many
packets.  However, if you want to run through the rules file 10 times,
then:
 
/sneeze.pl -d 192.168.0.1 -f exploit.rules -c 10
 
If you want to pound the target forever with false-positive traffic
then:
 
/sneeze.pl -d 192.168.0.1 -f exploit.rules -c -1
 
And if you want to use a different network device other than your
default nic,
you can specify the device to use like this:
 
/sneeze.pl -d 192.168.0.1 -f exploit.rules -i eth1
 
Usage hints or help is as easy as:  ./sneeze.pl -h or ./sneeze.pl with
no args


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users