and Regular Expression Evaluation
Sniffles is a tool for creating packet captures that will test IDS that use fixed patterns or regular expressions for detecting suspicious behavior. Sniffles works very simply. It takes a set of regular expressions or rules and randomly chooses one regular expression or rule. It then generates content based on that rule or regular expression. For fixed strings, this means adding the string directly to the data (possibly with offsets or other options as per Snort rules). For regular expressions the process is somewhat more complex. The regular expression is converted to an NFA and a random path is chosen through the NFA (from start to end). The resulting data will match to the regular expression. Finally, Sniffles can be set to full match or partial match. With a full match, the packet data will absolutely match to at least one rule or regular expression (Some Snort options are not fully considered though). A partial match will erase the last character from a matching character sequence to a sequence that should not match (may match to another rule though). Matching rules should cause the most burden on an IDS. Thus, it is possible to determine how well the IDS handles worst case traffic. Partial matching traffic will cause almost as much burden as matching traffic. Finally, Sniffles can also generate traffic that has completely random data. Such random data offers a best case scenario as random data is very unlikely to match with any rules. Thus, it can be processed at maximum speed. Thus, Sniffles allows the creation of packet captures for best and worst case operation of IDS deep packet inspection.
In additon to above, Sniffles also has the ability to create evaluation packet captures. There are two types of evaluation packet captures. The first evaluation packet capture will create exactly one packet for each rule or regular expression, in sequence. Thus it is possible to test and see that each rule matches as expected. The full evaluation goes a step further and creates a packet for every possible branch in a regular expression. A single regular expression could have thousands of possible branches. This tests to ensure that all possible branches of a regular expression are handled properly. Evaluation packet captures should match all packets. Any unmatched packets most likely represent a failure of the IDS and need further investigation. Of course, there is always the possibility that Sniffles is not creating the correct packet for a given IDS, or doesn’t recognize a particular option for a rule. Check the supported rule features for more information.
Finally, Sniffles can also do a lot for generating random network traffic. By default, random traffic is TCP, UDP, or ICMP and unidirectional. However, it can also generate TCP traffic with ACKs, handshakes, and teardowns for each stream. It will generate correct sequence numbers and checksums. Further, MAC addresses can be set according to desired distributions, and IP network addresses can be defined by Home and External address spaces. In addition, it is possible to simulate scans within a traffic capture.
REQUIRES: Python 3.3+ and the SortedContainers module
Sniffles consists of the following files:
python3.x setup.py install.
python3.x setup.py buildto build locally, then go to the library directory, find the lib and use
python3.4 -c "from sniffles import sniffles; sniffles.main()"to run locally.
alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"SERVER-APACHE Apache Tomcat UNIX platform directory traversal"; flow:to_server; content:"/..|5C|/"; content:"/..|5C|/"; http_raw_uri;