FLoP - 1.6.0: Fast Logging Project for Snort
PrevChapter 8. The program fpg, a false positive generatorNext

8.3. Some final remarks on the program fpg

Without any limitation and a fast machine the rate of generating network packets is much faster as the network device is able to generate. Therefore the options -D and -T were introduced [1].

The -R option was introduced to get a more realistic network traffic shape. This way it is possible to study the behaviour of snort on a more realistic scenario.

The -n option is the fastest way to generate a lot of alert packets, but all are equal. If one packet is build it is sent several times again. So all these packets look identical.

With the -e option the configuration file is walked through several times and all network packets are new build. Any unspecified values in the configuration file are replaced by random values. So with this option the network packets for the same rule look a bit different.

The destination address should be a valid one, there should exist a target with this address. Otherwise all packets will be blocked at the last hop with unsaturated arp requests for the destination address.

Be aware that nearly all packets will result in Reset or ICMP packets sent back to the mentioned source address (see option -s).

Notes

[1]

The C function usleep() is used, wich can sleep for microseconds. But the finest granularity of this function is in the range of 100 Hz (Starting with Linux-2.6 this value is adjustable up to 1000 Hz but some other operating systems may not be able to use other values). Therefore we use a delay in miliseconds every few packets instead of an usleep() after each packet is sent.

PrevHomeNext
The command line options of fpgUpThe contrib directory