Sniffles is a tool for creating packet captures that will test IDS that use fixed patterns or regular expressions for detecting suspicious behavior. Sniffles works very simply. It takes a set of regular expressions or rules and randomly chooses one regular expression or rule. It then generates content based on that rule or regular expression. For fixed strings, this means adding the string directly to the data (possibly with offsets or other options as per Snort rules).
For regular expressions the process is somewhat more complex. The regular expression is converted to an NFA and a random path is chosen through the NFA (from start to end). The resulting data will match to the regular expression. Finally, Sniffles can be set to full match or partial match.
With a full match, the packet data will absolutely match to at least one rule or regular expression (Some Snort options are not fully considered though). A partial match will erase the last character from a matching character sequence to a sequence that should not match (may match to another rule though). Matching rules should cause the most burden on an IDS. Thus, it is possible to determine how well the IDS handles worst case traffic.
Partial matching traffic will cause almost as much burden as matching traffic. Finally, Sniffles can also generate traffic that has completely random data. Such random data offers a best case scenario as random data is very unlikely to match with any rules. Thus, it can be processed at maximum speed. Thus, Sniffles allows the creation of packet captures for best and worst case operation of IDS deep packet inspection.
Latest change v3.2.0 22/12/2016:
+ Fixed bugs on BackgroundTraffic class.
+ Fixed speeling
Sniffles consists of the following files:
– rulereader.py: The parser for rules.
– ruletrafficgenerator.py: The tool for generating content streams.
– sniffles.py: The main program managing the process.
– sniffles_config.py: handles command line input and options for Sniffles.
– traffic_writer.py: Writes a packet into a pcap compatible file. Does not require libpcap.
– vendor_mac_list.py: Contains MAC Organisationally Unique Identifiers used for generating semi-realistic MAC addresses rather than just randomly mashed together octets.
– examples/vendor_mac_definition.txt: Optional file for defining the distribution of partial or full MAC addresses.
– pcre files for pcre (pcre_chartables.c pcre_compile.c pcre_globals.c pcre_internal.h pcre_newline.c pcre_tables.c pcre.h pcrecomp.c pcreconf.py ucp.h).
– nfa.py: for traversing NFA.
– regex_generator.py: The code for generating random regular expressions.
– rand_rule_gen.py, feature.py, and rule_formats.py: modules for generating random rule sets.
Usage and download from source:
git clone https://github.com/petabi/sniffles && cd sniffles
pip3 install -r requirements.txt
python3 setup.py install