Snort mailing list archives
Sneeze v 1.0 released--Snort false-positive generator in Perl
From: Don Bailey <baileydl () mitre org>
Date: Mon, 06 Aug 2001 11:39:32 -0400
Hi all, I needed an easy-to-control false-positive generator (didn't care too much for stick, snot, or IDSWakeup) so Cazz and I wrote one in Perl this past Friday. It's called Sneeze, and we like to refer to it as "stick-that-doesn't-suck." Future revision 1.1 should support more accurate and custom packets, random spoofed source, and quiet / verbose mode among other things. For now, it seems to get the job done and is fun to play with. Requires Net::RawIP Perl module. Download Sneeze today from: http://snort.sourceforge.net/sneeze-1.0.tar Take a look and someone let me know how it works for IDS testing, etc. Thanks. Sincerely, Don P.S.--some of the README is below for more info on Sneeze. -- Don Bailey Senior INFOSEC Engineer/Scientist Secure Information Technology The MITRE Corporation (703) 883-6230 Portions of the README follow: sneeze.pl v 1.0 - a Snort false-positive generator written in perl Introduction ------------ Sneeze is a Snort false-positive generator written in perl. It will read normal Snort rules files, parse them, and generate packets that will hope- fully trigger those same rules. Sneeze can be configured to use specific network devices, source ports, spoofed IPs, as well as loop a specified amount of times or forever. Sneeze provides a way to safely test an IDS in a controlled manner and provides useful output to track what you are sending as triggers. Sneeze has been tested with Snort 1.8 and its rules. Further below are instructions for installing Sneeze if you're tired of reading already. Installation & Usage -------------------- Sneeze requires the Perl module Net::RawIP. You can obtain this module from: http://www.cpan.org/modules/by-module/Net/ Once you have Net::RawIP installed, simply run sneeze.pl against a target ip using a snort rules file as input. Like this: /sneeze.pl -d 192.168.0.1 -f exploit.rules Sneeze understands "includes" in rules files, and will recursively use all rulesa snort rules file points to. Sneeze can spoof source IP and port (when appropriate). So if you knew of a stupid firewall that let all traffic source 53 come in from www.resolve.com, you could do something like this to get through the firewall and wakeup the IDS analysts on the other side: /sneeze.pl -d 192.168.0.1 -f exploit.rules -s www.resolve.com -p 53 Sneeze normally only goes through a rules file once and generates that many packets. However, if you want to run through the rules file 10 times, then: /sneeze.pl -d 192.168.0.1 -f exploit.rules -c 10 If you want to pound the target forever with false-positive traffic then: /sneeze.pl -d 192.168.0.1 -f exploit.rules -c -1 And if you want to use a different network device other than your default nic, you can specify the device to use like this: /sneeze.pl -d 192.168.0.1 -f exploit.rules -i eth1 Usage hints or help is as easy as: ./sneeze.pl -h or ./sneeze.pl with no args _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Sneeze v 1.0 released--Snort false-positive generator in Perl Don Bailey (Aug 06)