|
fpg − A false positive generator for snort |
|
fpg [−hve] [−c <config>] [−D count] [−n count] [−M maxpkts] [−R msec] [−T msec] −s source −d destination |
|
This program uses a configuration file for snort(8) to generate ethernet packets which will raise snort alerts. Based on the snort.conf ethernet packets are created on send to the given destination address. The sender and destination address must be given on the commandline. |
|
−c <config> |
|
Specifies the snort configuration file which should be used to generate network packets. |
|
−d destination |
|
Specifies the destination address of the network packets. This option is required and the format of the address is either a full qualified name or a dotted IP address. |
|
−D count |
|
Insert every count packets a time delay. See option −T. |
|
−e |
Run in an endless loop. The configuration file is worked though on an endless loop, after the end is reached we start again. The −M option still works! |
||
|
−h |
Output help information and exit. |
|
−M maxpkts |
|
Specifies the maximum number of packets which were generated. If there are less packets available due to the configuration file the program exits earlier! This option is useful in conjuction with the options −e and/or −n. |
|
−n count |
|
Send every build network packet count times. See also option −M. |
|
−R msec |
|
Specifies a random delay between two packets of maximal msec milliseconds. |
|
−T msec |
|
Specifies the time delay between the number of packets specified by the −D option. |
|
−s sender |
|
Specifies the sender address of the network packets. This option is required and the format of the address is either a full qualified name or a dotted IP address. |
|
−v |
Output version information and exit. |
|
snort.conf |
|
To run this program the standard way type: fpg −c snort−1.9.1/etc/snort.conf −s 10.0.0.1 −d target.dns.org To create 1000 packets: fpg −s 10.0.0.1 −d target.dns.org −e −M 1000 |
|
Dirk Geschke <Dirk@geschke−online.de> |
|
Not all ICMP types are implemented in Libnet−1.1.0. For the time delay the function usleep() is used. The granularity is 100 Hz (at least on x86 systems) therefore we internally multiply all values by 1024 to get miliseconds. This is the reason why the options −D and −T are created. On a fast machine the packet rate can be too high to be generated on the wire. Therefore the delays generated by the options −D and −T are useful. To get a more real−life traffic the option −R was introduced. To get the traffic sent you must be root! The destination address has to be valid address or must be in a network behind the snort network. Otherwise there are unsaturated arp−requests and the packets are dropped by the last router. Be aware that nearly all packets will result in reset packets sent to the sender (option −s)! |
|
snort(8) |