Home

Awesome

⛲ speeve

Status Go Reference

speeve is a fast, probabilistic EVE-JSON generator for testing and benchmarking of EVE-consuming applications. It can generate up to hundreds of thousands of events per second, with varying IPs, ports, timestamps, accurate Community ID values, etc. under a predefined traffic profile model. Additional metadata can be added based on static strings, Go templates and Tengo scripts.

🚧 Still alpha - work in progress! 🚧

Building

Build like other Go tools:

$ go get -v -t github.com/satta/speeve/...
...
$ speeve spew -h

or in newer fashion:

$ go install github.com/satta/speeve/...@latest
...
$ speeve spew -h

Usage

$ speeve spew -h
The 'spew' command starts EVE-JSON generation.

Usage:
  speeve spew [flags]

Flags:
  -d, --duration duration   duration of run
  -h, --help                help for spew
  -j, --parallel uint32     number of generator tasks to run in parallel (default 2)
  -s, --persec uint32       number of events/s to emit (default 1000)
      --pproffile string    filename to write pprof profiling info into
  -p, --profile string      filename of traffic profile definition file (default "profile.yaml")
      --seed int            random seed for sampling
  -n, --total uint          total number of events to emit
  -v, --verbose             verbose mode

Global Flags:
      --config string   config file (default is $HOME/.speeve.yaml)

The only required parameter is the name of a profile YAML file to use (see section below for details). Other parameters allow for configuration of parallelism (-j, might be needed for higher event rates) and event count (-n) as well as rate (-s, events per second).

Example:

$ speeve spew -p profile.yaml | head -n 2
INFO[0000] seed 1615822102344012700
WARN[0000] random_dns: src ports undefined, will use random high ports 
WARN[0000] random_dns: src ports undefined, will use random high ports 
WARN[0000] dns: src ports undefined, will use random high ports 
WARN[0000] dns: src ports undefined, will use random high ports 
{"timestamp":"2021-03-10T16:02:51.321482+0100", "event_type":"flow", "src_ip": "10.0.0.228", "src_port": 21220, "dst_ip": "10.0.0.157", "dst_port": 53, "proto": "UDP", "flow_id": 8687071865980767663, "community_id": "1:FtaON10zfcu6oNKiXPDVk7bZNAQ=", "flow": {"pkts_toserver": 197, "pkts_toclient": 781, "bytes_toserver": 7448, "bytes_toclient": 9615, "start": "2021-03-10T16:02:50.32156+0100", "end": "2021-03-10T16:02:51.321482+0100", "age": 99, "state": "new", "reason": "shutdown", "alerted": false}}
{"timestamp":"2021-03-10T16:02:51.321482+0100", "event_type":"dns", "src_ip": "10.0.0.228", "src_port": 21220, "dst_ip": "10.0.0.157", "dst_port": 53, "proto": "UDP", "flow_id": 8687071865980767663, "community_id": "1:FtaON10zfcu6oNKiXPDVk7bZNAQ=", "dns": {"version":2,"type":"answer","id":574,"flags":"8180","qr":true,"rd":true,"ra":true,"rrname":"github.com","rrtype":"AAAA","rcode":"NOERROR","authorities":[{"rrname":"github.com","rrtype":"SOA","ttl":5}]}}

Traffic profile configuration

providers:
    - name: alert
      type: static
      event_type: alert
      ipranges:
        src: 10.0.0.0/16
        dst: 10.0.0.0/29
      ports:
        src: [3452, 32333]
        dst: [80]
      proto: 6
      static: '{"action": "allowed", "gid": 1, "signature_id": 2001999, "rev": 9, "signature": "ET MALWARE BTGrab.com Spyware Downloading Ads", "category": "A Network Trojan was detected", "severity": 1}'
      weight: 100
    - name: random_dns
      type: tengo
      event_type: dns
      ipranges:
        src: 10.0.0.0/8
        dst: 10.0.0.0/8
      ports:
        src: []
        dst: [53]
      proto: 17
      tengo: >
        rnd := import("rand");
        fmt := import("fmt");
        text := import("text");
        chars := "abcdefghijklmnopqrstuvw";

        a := [];
        for i:=0; i<10; i++ {
           a = append(a, chars[rnd.intn(23)]);
        }

        dom := text.join(append(a, ".com"), "");
        ip := fmt.sprintf("%d.%d.%d.%d", rnd.intn(250), rnd.intn(250), rnd.intn(250), rnd.intn(250));
        tmpl := `{"version":2,"type":"answer","id":%d,"flags":"8180","qr":true,"rd":true,"ra":true,"rrname":"%s","rrtype":"A","rcode":"NOERROR","answers":[{"rrname":"%s","rrtype":"A","ttl":299,"rdata":"%s"}],"grouped":{"A":["%s"]}}`;
  
        encoded := fmt.sprintf(tmpl, rnd.intn(40000), dom, dom, ip, ip);
      weight: 50

Author/Contact

Sascha Steinbiss

License

MIT