This program[1] creates network packets which raise false positive alerts within snort. It reads a snort configuration file and tries to build one network packet for each rule containing all necessary values.
Nearly all kind of network packets can be created, only some newer
features of snort like byte_test
and some ICMP types are not
supported[2].
Note: There is an ongoing discussion about how useful or useless these kind of false positiv generators are. But at least there are some obviously reasons why they may be useful. For example, if you want to see what happens if the output plugins reach there limits you will need something which is able to generate enough alerts. Or think of finding problems in preprocessors or rules. If you find one this way then the use of such programs are more than justified. On the other hand, to use these kind of programs to estimate a limit up to where snort is able to perform his work may fool you since a lot of preprocessor works are ignored. So however, there are at least soem good reasons for these programs to exist.
Actual fpg uses a lot of snort keywords. Up to 5 levels[3] of include files are supported.
snort keywords used by fpg
include
alert
log
var
tcp
udp
icmp
any
rpc
msg
content
uricontent
dsize
sameip
offset
distance
depth
within
fragbits
id
ip_proto
ttl
itype
icode
icmp_id
icmp_seq
isdataat
flags
flow
seq
ack
Options not mentioned here are simply ignored[4]. You have explicitly to specify a source and destination address. So any special address in the configuration file are overwritten. So some rules will not raise alerts due to this wrong addresses.
| [1] | To build network packets with own contents, e.g. different source addresses as the system has, TCP packets with flags set and so on, you must be root to use this progam! |
| [2] | To raise alerts within snort-2.0.0 you have
to disable the |
| [3] | This is only one parameter in the source file and can be easily increased. |
| [4] | These options are ignored, not the whole rule! |