fpg

NAME
SYNTAX
DESCRIPTION
OPTIONS
FILES
EXAMPLES
AUTHORS
NOTES
SEE ALSO

NAME

fpg − A false positive generator for snort

SYNTAX

fpg [−hve] [−c <config>] [−D count] [−n count] [−M maxpkts] [−R msec] [−T msec] −s source −d destination

DESCRIPTION

This program uses a configuration file for snort(8) to generate ethernet packets which will raise snort alerts.

Based on the snort.conf ethernet packets are created on send to the given destination address. The sender and destination address must be given on the commandline.

OPTIONS

−c <config>

Specifies the snort configuration file which should be used to generate network packets.

−d destination

Specifies the destination address of the network packets. This option is required and the format of the address is either a full qualified name or a dotted IP address.

−D count

Insert every count packets a time delay. See option −T.

−e

Run in an endless loop. The configuration file is worked though on an endless loop, after the end is reached we start again. The −M option still works!

−h

Output help information and exit.

−M maxpkts

Specifies the maximum number of packets which were generated. If there are less packets available due to the configuration file the program exits earlier! This option is useful in conjuction with the options −e and/or −n.

−n count

Send every build network packet count times. See also option −M.

−R msec

Specifies a random delay between two packets of maximal msec milliseconds.

−T msec

Specifies the time delay between the number of packets specified by the −D option.

−s sender

Specifies the sender address of the network packets. This option is required and the format of the address is either a full qualified name or a dotted IP address.

−v

Output version information and exit.

FILES

snort.conf

EXAMPLES

To run this program the standard way type:

fpg −c snort−1.9.1/etc/snort.conf −s 10.0.0.1 −d target.dns.org

To create 1000 packets:

fpg −s 10.0.0.1 −d target.dns.org −e −M 1000

AUTHORS

Dirk Geschke <Dirk@geschke−online.de>

NOTES

Not all ICMP types are implemented in Libnet−1.1.0.

For the time delay the function usleep() is used. The granularity is 100 Hz (at least on x86 systems) therefore we internally multiply all values by 1024 to get miliseconds. This is the reason why the options −D and −T are created.

On a fast machine the packet rate can be too high to be generated on the wire. Therefore the delays generated by the options −D and −T are useful.

To get a more real−life traffic the option −R was introduced.

To get the traffic sent you must be root!

The destination address has to be valid address or must be in a network behind the snort network. Otherwise there are unsaturated arp−requests and the packets are dropped by the last router.

Be aware that nearly all packets will result in reset packets sent to the sender (option −s)!

SEE ALSO

snort(8)