Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Generating Network Traffic to Stress Test IDS

From: Fernando Miguelez Palomo <jtbmipaf () bipt106 bi ehu es>
Date: Fri, 25 Jan 2002 10:54:17 +0100 (CET)

We encountered the same problem when testing performance with a modified 
version of snort (old one) some months ago. The solution was to code our own 
injector. 

We wrote very simple two programs, which I attach:

First one is pinj (Packet INJector). You must have installed libpcap and 
libnet. It is a very simple program that injects traffic from a given 
tcpdump file into the desired network interface at the wanted rate. Use 
the Makefile to build it. This program allows you to repeat the same test 
(with the same traffic) every time you want.

The second one is called lambda. This program was written in a hurry 
modifying one of the examples that come with libnet (so don't expect well 
organized code and good comments). To compile it you must uncompress the 
.tar.gz file in the examples subdirectory of Libnet and type make (the 
lambda.tar.gz includes the Makefile that came with libnet for this subdir 
with one line added to compile lambda). This is very dirty, but don't 
blame me, I didn't wrote it!

I think that usage of this program is not very clear so this is an example 
of usage:
./lambda -n 500000 -l 12225 -i rl1 -s 192.168.0.1.10 -d 192.168.0.3.50 
-m 999 -D 0 -q 0.75

This calls program to inject:
(-n 500000) 500,000 packets
(-l 12225) at a rate of approximately 12,225 packets per second
(-i rl1) into network interface rl1 (this is for FreeBSD, the equivalent
                                     in linux is eth1)
(-s 192.168.0.1.10) using source IP address 192.168.0.1 with source TCP 
                    port 10 (port is optional)
(-d 192.168.0.3.50) and destination IP address 192.168.0.3 with 
                    destination TCP port 50
(-q 0.75)           in about the 75% of the packets (the rest go to dest port 
                    100 (2*50)).
(-m 999)            The average total size of the packet is 999 bytes
(-D 0)              and maximum deviation 0 bytes.
                     
With this program and many rules of this kind ...

alert tcp any any <> any 50(msg:"Alert"; content:"Rammstein";)

...you can test snort performing time consuming analisys over 75% of 
the traffic load of saturated segment at 100 Mbps (use a hub or switch to 
connect two machines).   

One final comment. Although you can use the programs with (at first) any 
UNIX, I recommend you use FreeBSD as Linux at high rates can not inject 
all the packets. 

I hope you find any of these programs useful.

Fernando





--__--__--


Message: 5
Date: Thu, 24 Jan 2002 07:28:17 -0800 (PST)
From: Chad Gough <chad131 () yahoo com>
To: snort-users () lists sourceforge net
Subject: [Snort-users] Generting Network Traffic to Stress Test IDS

Does anyone know of any good tools that can generate alot of network
traffic to see at what point an IDS starts dropping packets?

Thanks,
Chad

__________________________________________________
Do You Yahoo!?
Great stuff seeking new owners in Yahoo! Auctions! 
http://auctions.yahoo.com

Attachment: pinj.tar.gz
Description:

Attachment: lambda.tar.gz
Description:

Previous By Date Next
Previous By Thread Next

Current thread: