Home

Awesome

Sniffles--Packet Capture Generator for IDS and Regular Expression Evaluation

Sniffles is a tool for creating packet captures that will test IDS that use fixed patterns or regular expressions for detecting suspicious behavior. Sniffles works very simply. It takes a set of regular expressions or rules and randomly chooses one regular expression or rule. It then generates content based on that rule or regular expression. For fixed strings, this means adding the string directly to the data (possibly with offsets or other options as per Snort rules). For regular expressions the process is somewhat more complex. The regular expression is converted to an NFA and a random path is chosen through the NFA (from start to end). The resulting data will match to the regular expression. Finally, Sniffles can be set to full match or partial match. With a full match, the packet data will absolutely match to at least one rule or regular expression (Some Snort options are not fully considered though). A partial match will erase the last character from a matching character sequence to a sequence that should not match (may match to another rule though). Matching rules should cause the most burden on an IDS. Thus, it is possible to determine how well the IDS handles worst case traffic. Partial matching traffic will cause almost as much burden as matching traffic. Finally, Sniffles can also generate traffic that has completely random data. Such random data offers a best case scenario as random data is very unlikely to match with any rules. Thus, it can be processed at maximum speed. Thus, Sniffles allows the creation of packet captures for best and worst case operation of IDS deep packet inspection.

In additon to above, Sniffles also has the ability to create evaluation packet captures. There are two types of evaluation packet captures. The first evaluation packet capture will create exactly one packet for each rule or regular expression, in sequence. Thus it is possible to test and see that each rule matches as expected. The full evaluation goes a step further and creates a packet for exvery possible branch in a regular expression. A single regular expression could have thousands of possible branches. This tests to ensure that all possible branches of a regular expression are handled properly. Evaluation packet captures should match all packets. Any unmatched packets most likely represent a failure of the IDS and need further investigation. Of course, there is always the possiblity that Sniffles is not creating the correct packet for a given IDS, or doesn't recognize a particular option for a rule. Check the supported rule features for more information.

Finally, Sniffles can also do a lot for generating random network traffic. By default, random traffic is TCP, UDP, or ICMP and unidirectional. However, it can also generate TCP traffic with ACKs, handshakes, and teardowns for each stream. It will generate correct sequence numbers and checksums. Further, MAC addresses can be set according to desired distributions, and IP network addresses can be defined by Home and External address spaces. In addition, it is possible to simulate scans within a traffic capture.

Install

REQUIRES: Python 3.3+ and the SortedContainers module

Sniffles consists of the following files:

To install:

  1. Go to the Top-level directory.
  2. Type python3.x setup.py install.
  3. This will install the application to your system.

Install Notes:

  1. This has not been tested with Windows nor has it been tested on Linux. It has been tested on FreeBSD and Mac OS X.
  2. Use python3.x setup.py build to build locally, then go to the library directory, find the lib and use python3.4 -c "from sniffles import sniffles; sniffles.main()" to run locally.

Supported Formats:

Command Line Options:

Examples:

NOTE: all examples assume you have installed the sniffles package.

To generate a pcap from a single file of regular expressions with 10 streams where every packet matches a rule

sniffles -c 10 -f myre.re -m

To generate a pcap from a single snort rule file where every packet almost matches a rule

sniffles -c 10 -f myrules.rules

To generate a pcap from multiple snort rule files in a single directory where every packet matches a rule.

sniffles -c 10 -d myrulesdir -m

To generate the same pcap as above, using the same rules, but with random content (Content is random, headers will still follow the rules--does not work with regex or Sniffles rules):

sniffles -c 10 -d myrulesdir -r

To generate a pcap with 10 streams (1 packet each) and with random data:

sniffles -c 10

To generate a pcap with 10 streams where 50% of streams will be the background traffic and the rest of the streams will contain packets matching a rule:

sniffles -c 10 -B 50 myrules.rules

To generate a pcap with 10 streams, each stream with 5 packets, with ACKs and handshake and teardown as well as a fixed length of 50 for the data in each data-bearing packet:

sniffles -c 10 -p 5 -l 50 -t -T -a

To generate a pcap with 20 random streams with a home network of 192.168.1-2.x:

sniffles -c 20 -h 192.168.1,192.168.2

To generate a pcap with 20 random streams with a home network of 192.168.1.x for IPv4 and 2001:8888:8888 for IPv6 with 50% of traffic IPv6:

sniffles -c 20 -h 192.168.1 -H 2001:8888:8888 -i 50

To generate a 5 second packet capture of random packets with an average lapse between packets of 100 microseconds:

sniffles -D 5 -L 100

To generate a pcap that will create one packet matching each rule in a rule file (or regex file) in sequence:

sniffles -f myrules.rules -e

To generate a pcap that will create a packet for every possible branch of a regex for each regex in a set of regex and then save that file to a pcap named everything.pcap is as below. However, this function can run in exponential time if the regex has a large amount of min-max couning so it may take a long time to run. Further, all other options except the two illustrated below are ignored.

sniffles -f myrules.rules -o everything.pcap -E

To generate random traffic with a scan attack occuring 2 seconds in and lasting for 2 seconds with 1000 scan packets per second and with the entire capture a duration of 5 seconds and lapse time of 50us and with starting port 80 (sequentially searching ports from 80):

sniffles -D 5 -O 2 -W 2 -I 1000 -L 50 -s 192.168.1.2 -P 80

Similar to above, but will create multiple scan attacks, each with duration of 1 second, and an average offset between attacks of 2 seconds. Further, only scans the designate ports. Also targets IP address in range 192.168.1.0-255 randomly.

sniffles -D 8 -O 2 -W 1 -I 10 -L 50 -s 192.168.1 -P 80,8080,8000,8001

Sniffles Rule Format:

Sniffles supports several rule formats. First, Sniffles can parse Snort rules, and regular expressions (at one per line). In addition to this, Sniffles also has its own rule format that can be used to explicitly control traffic. This is done through the use of xml files that will describe the traffic. When this format is used the other options for Sniffles may be irrelevant. Example rule files can be found in the examples directory. These rule files are used simply by designating the rule file with the -f option (i.e. sniffles -f rules.xml)

The Sniffles rule format is as follows:

<?xml version="1.0" encoding="utf-8"?>
<petabi_rules>
  <rule name="test" >
    <traffic_stream proto="tcp" src="any" dst="any" sport="any"
    dport="any" handshake="True" teardown="True" synch="True" ip="4">
      <pkt dir="to server" content="/abc/i" fragment="0" times="1" />
      <pkt dir="to client" content="/def/i" fragment="0" times="1" />
    </traffic_stream>
    <traffic_stream proto="tcp" src="any" dst="any" sport="any"
    dport="any" handshake="True" teardown="True" synch="True">
      <pkt dir="to server" content="/abc/i" fragment="0" times="1" />
      <pkt dir="to client" content="/def/i" fragment="0" times="1" />
    </traffic_stream>
  </rule>
</petabi_rules>

In detail, the tags work as follows:

Final Notes: The new rule format is just a beginning and may contain problems. Please alert me of any inconsitencies or errors. Further, the intent is to exapand the options to provide more and more functionality as needed. Please contact me with desired features. Finally, this product is provided as is. There is no guaranttee of functionality or accuracy. Feel free to branch this project to meet your own needs.

Credits:

This application has been brought to you by Petabi, Inc. where we make Reliable, Realistic, and Real-fast security solutions.

Authors:

New Features:

Regular Expression Generator

This is a simple regular expression generator. It creates regular expressions either completely randomly, or based on a serires of distributions. The controls that can be placed on how the regular expressions are generated are structural rather than contextual. In other words, there is no effort to make certain string tokens appear in the generated regular expressions. However, the probability distributions can be tweeked to affect the types of features found in the rules like character classes, alternation, repetition, etc.

Install

Will be automatically installed with the rest of Sniffles.

Options

regexgen--Random Regular Expression Generator.

usage: regexgen [-C char distribution] [-c number regex]
[-D class distribution] [-f output re file]
[-l lambda for length generation] [-M maximum regex length]
[-m minimum regex length] [-n negation probability]
[-o options chance] [-R repetition chance] [-r repetition distribution]
[-t re structural type distribution] [-?] [-g]

Random Rule Generator

The Random Rule Generator provides a mean for creating a number of randomly generated rules with which to test a particular platform. Currently, rules generated meet either the Snort rule format or are just lines of text. In order for the Random Rule Generator to work you must have a set of features defined. Example features can be found in the example_features folder and are further described below.

Install

Automatically installed with Sniffles

Note: The Random Rule Generator makes use of the Random Regex Generator for creating content of any kind.

Options

Random Rule Generator

usage: rulegen -c [number of rules] -f [feature set] -o [outfile] [-s]

Feature Set

Features are used to describe potential aspects of rules used in IDS. For example, a packet filter might use rules that target IP source and destination address. In that case, it would be possible to create a feature set describing how those IP source and destination addresses should be generated. More specifically, we make the distinction between simple rules and complex rules. The difference between these two is the presence of ambiguous notations. For example, if we possessed an ambiguous notation of * to mean any IP address, then we could say that * represents an ambigous notation. Further, we know that a rule can also use a non-ambigous notation, like 192.168.1.1. That would represent a simple IP address as it is a single fixed IP address without any possible ambiguous notation. We then further define the range of the particular features (i.e. IP addresses across the entire 4 billion plus possible IPv4 addresses, or just some subset of that).

The features ultimately define all of the aspects of for an arbitrary rule. Given a feature set and a valid rule format, it becomes possible to randomly generate an arbitrary number of rules that use those features. In this manner, it is possible to generate test rule sets that will examine the IDS across a vector that is often missed.

Features are defined in a semi-colon separated list one feature per line type=feature; list of arguments in key=value pairs, lists using python formatting (i.e. [a, ..., z]). Feature define specific portions of a target rule format. Features may be extended to add more functionality. Optionally, one can extend the ability of the features by creating a new rule format.

Current Feature Types:

  1. Feature -- generic feature
  2. Content -- Content Feature
  3. IP -- IP Feature
  4. Protocol -- Protocol Feature

Ambiguous lists should be written as lists like [x:y] for a range, [x,y] for a list, {x1,x2,x3} for a set or just * for a wildcard or similar single option.

Example about ambiguous list:

ambiguity_list=[[2:9]]
it will generate [3:4], [5:6], etc (any [x:y] such that
x <= y and x >= 2 and y > x and y <= 9).

ambiguity_list=[[3,20]]
it will generate [3,9,10], [3,4,8,12], etc (any list [x1,x2,x3,..]
such that all values falling between 3 and 20.

ambiguity_list=[{5,6,10}]
it will generate a subset of {5,6,10} such as {5,10}, {5}.

ambiguity_list=[[2:9],[3,20],{5,6,11}]
it will pick one of [2:9], [3,20], and {5,6,11} and
generate a corresponding instance (see above)

Example for feature file:

type=protocol; name=proto; proto_list=[TCP,UDP,ICMP]; complexity_prob=0;ambiguity_list=None;
type=ip; name=sip; version=4; complexity_prob=100;

the above defines two features, a protocol features and a source IP feature. The protocol is named proto, which is important only for the rule formatter, and the valid protocols are: IP, TCP, UDP, and ICMP. The IP feature is defined as IPv4 and all rules will be complex. IP complexity is already part of the class and need not be added in the feature definition. This will create IP addresses using CIDR notation.

Generic Feature Attributes:

Content Feature -- Inherits from Feature:

Protocol Feature -- Inherits from Feature:

IP Feature -- Inherits from Feature:

Ambigous notation for ranges, lists, sets:

Range Notation: [x:y] means from x to y (inclusive).

List notation: [x,y] means list of some randomly determined number of values where each value is greater than or equal to x and smaller than or equal to y.

Set notation: {x1,x2,x3,x4} means a set of value x1, x2, x3, x4. It will generate a subset set of original set.

Please look at the example feature sets in the example_features folder for further examples. More details as well as the academic theory behind this are scheduled to be added later.