{"id":13826620,"url":"https://github.com/petabi/sniffles","last_synced_at":"2025-08-13T17:32:47.838Z","repository":{"id":32339714,"uuid":"35915173","full_name":"petabi/sniffles","owner":"petabi","description":"Sniffles: Packet Capture Generator for IDS and Regular Expression Evaluation","archived":false,"fork":false,"pushed_at":"2021-02-25T17:48:33.000Z","size":755,"stargazers_count":62,"open_issues_count":0,"forks_count":26,"subscribers_count":16,"default_branch":"main","last_synced_at":"2024-11-20T05:30:58.532Z","etag":null,"topics":["pcap","regex"],"latest_commit_sha":null,"homepage":null,"language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/petabi.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2015-05-19T23:58:56.000Z","updated_at":"2024-11-08T09:00:17.000Z","dependencies_parsed_at":"2022-09-12T05:10:41.710Z","dependency_job_id":null,"html_url":"https://github.com/petabi/sniffles","commit_stats":null,"previous_names":[],"tags_count":12,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/petabi%2Fsniffles","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/petabi%2Fsniffles/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/petabi%2Fsniffles/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/petabi%2Fsniffles/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/petabi","download_url":"https://codeload.github.com/petabi/sniffles/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":229772929,"owners_count":18121958,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["pcap","regex"],"created_at":"2024-08-04T09:01:41.336Z","updated_at":"2024-12-15T01:31:53.180Z","avatar_url":"https://github.com/petabi.png","language":"C","funding_links":[],"categories":["\u003ca id=\"7bf0f5839fb2827fdc1b93ae6ac7f53d\"\u003e\u003c/a\u003e工具"],"sub_categories":["\u003ca id=\"32739127f0c38d61b14448c66a797098\"\u003e\u003c/a\u003e嗅探\u0026\u0026Sniff"],"readme":"Sniffles--Packet Capture Generator for IDS and Regular Expression Evaluation\n============================================================================\n\nSniffles is a tool for creating packet captures that will test IDS\nthat use fixed patterns or regular expressions for detecting\nsuspicious behavior.  Sniffles works very simply.  It takes a set of\nregular expressions or rules and randomly chooses one regular\nexpression or rule.  It then generates content based on that rule or\nregular expression.  For fixed strings, this means adding the string\ndirectly to the data (possibly with offsets or other options as per\nSnort rules).  For regular expressions the process is somewhat more\ncomplex.  The regular expression is converted to an NFA and a\nrandom path is chosen through the NFA (from start to end).\nThe resulting data will match to the regular expression.\nFinally, Sniffles can be set to full match or partial match.\nWith a full match, the packet data will\nabsolutely match to at least one rule or regular expression (Some\nSnort options are not fully considered though).  A partial match will\nerase the last character from a matching character sequence to a\nsequence that should not match (may match to another rule though).\nMatching rules should cause the most burden on an IDS.  Thus, it is\npossible to determine how well the IDS handles worst case traffic.\nPartial matching traffic will cause almost as much burden as matching\ntraffic.  Finally, Sniffles can also generate traffic that has\ncompletely random data.  Such random data offers a best case scenario\nas random data is very unlikely to match with any rules.  Thus, it can\nbe processed at maximum speed.  Thus, Sniffles allows the creation of\npacket captures for best and worst case operation of IDS deep packet\ninspection.\n\nIn additon to above, Sniffles also has the ability to create\nevaluation packet captures.  There are two types of evaluation packet\ncaptures.  The first evaluation packet capture will create exactly one\npacket for each rule or regular expression, in sequence.  Thus it is\npossible to test and see that each rule matches as expected.  The full\nevaluation goes a step further and creates a packet for exvery\npossible branch in a regular expression.  A single regular expression\ncould have thousands of possible branches.  This tests to ensure that\nall possible branches of a regular expression are handled properly.\nEvaluation packet captures should match all packets.  Any unmatched\npackets most likely represent a failure of the IDS and need further\ninvestigation.  Of course, there is always the possiblity that\nSniffles is not creating the correct packet for a given IDS, or\ndoesn't recognize a particular option for a rule.  Check the supported\nrule features for more information.\n\nFinally, Sniffles can also do a lot for generating random network\ntraffic.  By default, random traffic is TCP, UDP, or ICMP and\nunidirectional. However, it can also generate TCP traffic with ACKs,\nhandshakes, and teardowns for each stream.\nIt will generate correct sequence numbers and checksums.\nFurther, MAC addresses can be set according to desired distributions,\nand IP network addresses can be defined by Home and External address\nspaces.  In addition, it is possible to simulate scans within a\ntraffic capture.\n\nInstall\n-------\n\nREQUIRES: Python 3.3+ and the SortedContainers module\n\nSniffles consists of the following files:\n- rulereader.py: The parser for rules.\n- ruletrafficgenerator.py: The tool for generating content streams.\n- sniffles.py: The main program managing the process.\n- sniffles_config.py: handles command line input and options for Sniffles.\n- traffic_writer.py: Writes a packet into a pcap compatible file.\n  Does not require libpcap.\n- vendor_mac_list.py: Contains MAC Organisationally Unique\n  Identifiers used for generating semi-realistic MAC addresses rather\n  than just randomly mashed together octets.\n- examples/vendor_mac_definition.txt: Optional file for defining the\n  distribution of partial or full MAC addresses.\n- pcre files for pcre (pcre_chartables.c pcre_compile.c pcre_globals.c\npcre_internal.h pcre_newline.c pcre_tables.c pcre.h pcrecomp.c pcreconf.py\nucp.h).\n- nfa.py: for traversing NFA.\n- regex_generator.py: The code for generating random regular expressions.\n- rand_rule_gen.py, feature.py, and rule_formats.py: modules for generating\nrandom rule sets.\n\nTo install:\n\n1. Go to the Top-level directory.\n2. Type `python3.x setup.py install`.\n3. This will install the application to your system.\n\nInstall Notes:\n\n1. This has not been tested with Windows nor has it been tested on Linux.  It has been tested on FreeBSD and Mac OS X.\n2. Use `python3.x setup.py build` to build locally, then go to the library directory, find the lib and use `python3.4 -c \"from sniffles import sniffles; sniffles.main()\"` to run locally.\n\nSupported Formats:\n-----------------\n- Snort: Snort alert rules (rule should begin with the Alert\n  directive).  Content tags are recognized and parsed correctly. PCRE\n  tags are likewise correctly parsed. HTTP tags are processed\n  consecutively so they may not create the\n  desired packet.  Content (and PCRE or HTTP content) can be modified\n  by distance, within and offset.  A rule may use a flow control\n  option, though only the direction of the data is derived from this.\n  The nocase option is ignored and the case presented is used.  All\n  other options are ignored.  The header values are parsed and a\n  packet will be generated meeting those values.  If Home and External\n  network address spaces are used then the correct space will be used\n  for the respective $HOME_NET and $EXTERNAL_NET variables.  Example:\n\n\n    `alert tcp $EXTERNAL_NET any -\u003e $HOME_NET 8080 (msg:\"SERVER-APACHE Apache Tomcat UNIX platform directory traversal\"; flow:to_server; content:\"/..|5C|/\"; content:\"/..|5C|/\"; http_raw_uri;`\n\n- Regular expressions: Raw regular expressions 1 to a line written as\n  either abc or /abc/i.  Currently supports the options i, s, and m.\n  Other options are ignored.  Example:\n\n    `/ab*c(d|e)f/i`\n\n- Sniffles Rule Format described below.\n\nCommand Line Options:\n--------------------\n\n  - -a TCP Ack: Send a TCP acknowledgment for every data packet sent.\n     Off by default.  Acknowledgement packets have no data by default.\n\n  - -b Bidirectional data: Data will be generated in both directions\n     of a TCP stream. ACKs will be turned on.  This feature is off\n     by default.\n\n  - -B [Background Traffic Protocol:Percentage]: Set at least one\n     protocol with value between 1 and 100 to produce Background\n     Traffic. This value represents the percentage of the total\n     amount of traffic.\n     Protocols available: FTP, HTTP, IMAP, POP and SMTP.\n     For example: \"http:20,ftp:30,smtp:10\".\n     Enter only one number as the argument value to generate randomly\n     traffic.\n     For example: \"80\".\n\n  - -c Count: Number of streams to create.  Each stream will contain a\n     minimum of 1 packet.  Packet will be between two end-points as\n     defined by the rule or randomly chosen.  tcp_handshake,\n     tcp_teardown, and packets_per_stream will increase the number of\n     packets per stream.  Currently, data in a stream flows in only\n     one direction.  If the -b option is used data should flow\n     in both directions.  Also, Sniffles rules can designate data\n     to flow in both directions.\n\n  - -C Concurrent Flows: Number of flows that will be open at one\n     time.  Best effort in that if there are fewer flows than\n     the number of concurrent flows designated then all of the\n     current flows will be used.  For example, if there are only\n     1000 flows remaining, but the number of concurrent flows\n     was set to 10000, still only 1000 flows will be written out\n     at that time.  The default value is 1000.  If used with\n     duration the -C flows will be maintained throughout the\n     duration which will ultimately disregard any input from -c.\n     Note, the purpose of this is to create a diverse pcap where\n     packets from the same flows are spread out rather than right\n     next to each other and to create the illusion of many\n     concurrent flows.  In our tests, we have managed up to 2-3\n     million concurrent flows before memory becomes an issue.\n     Also, we should mention that different latencies among\n     streams can cause some flows to terminate ealier than others.\n\n  - -d Rules Directory: path to directory containing rule files.\n     Will read every enabled rule in all rules file in the directory.\n     Assumes all rules end with extension .rules.  Use this option or\n     -f, but not both.  The # symbol is used to deactivate (i.e.\n     comment out) a rule.\n\n  - -D Duration: Generate based on duration rather than on count.\n     The duration is in seconds.  Keep in mind that the default\n     latency between packets is an average of 1-200 microseconds.\n     For low latencies, a large duration could result in millions\n     of packets which could take a long time to build.  Also,\n     duration is best effort.  Essentially, new streams are not\n     created after the duration is met, but there may be streams\n     that have not completed.  These are still written out so\n     the actual duration may well be longer than that designated,\n     but should not be less.  Finally, set a larger latency if\n     you wish to have fewer streams created during generation.\n\n  - -e eval: Create just one packet for each rule in the rule-set.\n     Ignores all other input except -f.  Each packet will have\n     content matching the selected rule.\n\n  - -E Full Eval: Create one packet for each viable path in a pcre rule\n     in the rule set.  In other words ab(c|d)e would\n     create two packets: abce and abde.  Ignores all other input\n     except -f.\n\n  - -f Rule File: read a single rule file as per the provided path and\n     file name.\n\n  - -F Config: Designate a config file for Sniffles options.  The\n     config file is a way of fixing the parameters used for a run\n     of Sniffles.\n\n  - -g Timestamp: set the starting time for the pcap timestamp.\n     This will be the number of seconds since 12/31/1969.\n     Default is current time.\n\n  - -h IP Home Prefixes: A list of IP Home Network Prefixes.  IP\n     addresses meant to come from an internal address will use these\n     prefixes.  Prefixes may designate an entire 4 byte IPv4 address\n     in xxx.xxx format.  For example: \"10.192.168,172.16\".\n\n  - -H IP v6 Home Prefixes: Same as IPv4 Home Prefixes just for IPv6.\n     Notable exceptions, the separator is a colon with two bytes\n     represented between colons.\n\n  - -i IPv6 percentage: Set this value between 1 and 100 to generate\n     packets with IPv6.  This will determine the percentage of\n     streams that will be IPv6.\n\n  - -I Intensity of scan attack (i.e. packets per second.)\n\n  - -l Content Length: Fix the Content length to the number of bytes\n     designated. Less than one will set the length equal to the\n     content generated by nfa, or a random number between 10 and 1410\n     if headers are random too.  Will truncate or pad the packet as\n     necessary.\n\n  - -L Latency: Average latency in microsecond.  If not set a random\n     average latency between 1 and 200 usecs is determined for each\n     stream.  Thus, the packets for a given stream will have an average\n     latency amount of time between each packet in the flow.\n\n  - -M Allows the use of a MAC distribution to have a custom MAC\n       addresses in the traffic.  By default, MAC addresses are\n       randomly generated. More information about the MAC\n       definition file can be found in the\n       examples/mac_definition_file.txt.\n       Note:  You can specify up to two MAC definition files\n       in order to set different values dependent on source or\n       destination MACs.  If you specify only one file, it will\n       be used for either direction. If you use the following\n       notation you can specify for specific directions.\n       For example: 'path1:path2'. Path1 will be MAC definition\n       file for source MACs and path2 will be the MAC definition\n       file for destination MACs. You may also use a question\n       mark (?) to designate one or the other as random as in:\n       '?:path2' to have random source MACs but use the file for.\n\n  - -n Not Match Completely.  Sets Content generated from a\n         rule to not match completely (i.e. will automatically truncate\n         the final few characters).  Default behavior is to match rule\n         content completely.\n  - -o output file: designate the name of the output file.  By default,\n     the file is named: sniffles.pcap.\n\n  - -O Offset: Offset before starting a scan attack.  Also used when\n     inserting multiple scans into the traffic.  This is the number\n     of seconds before the scan will start.  If used with -R, this\n     becomes the average number of seconds prior to start.\n\n  - -p Packets-per-stream: Designate the number of\n     content-bearing packets for a single stream.\n     If a positive value is provided as an argument then exactly x\n     (if x is the provided integer) content-bearing packets will\n     appear for each stream.  If x is negative, then a random\n     number of packets will appear for each stream (from 1 to abs(x))\n     By default, this value is 1.\n\n  - -P Target Port list: For a scan attack. Provide a comma-sep list of\n     possible ports, or a single starting port.  Otherwise ports will\n     be scanned at random.  If a single starting port is provided,\n     then ports will be scanned in order from that point to 65535,\n     after which it will roll back to the starting point.  If a list\n     is provided, the ports in the list will be scanned round-robin.\n\n  - -r Random: Generate random content rather than from the rules.  If\n     rules are still provided, the rules are used in the generation of\n     the headers.  Note: many features in the rules may overide certain\n     aspects of the random generation.\n\n  - -R Random scan Attacks: Will use the Offset to create scan attacks in\n     the traffic, but will use the offset only as a median.  The\n     offset is used to determine the amount of time between when a\n     scan finishes and a new scan starts.\n\n  - -s Scan Attack: followed by a comma-sep list of ipv4 addr indicating\n     what ip address to target. Each IP range will create\n     one scan attack.  The ranges should be like: 192.168.1.1 which\n     would target exactly that one ip address while 192.168.1 would\n     target a random ip addresses between 192.168.1.0 and 192.168.1.255.\n\n  - -S Scan type: 1==Syn scan (default) 2 == Connection scan.\n\n  - -t TCP Handshake: Include a TCP handshake in all TCPstreams.  Off by\n     default.\n\n  - -T TCP Teardown: Include a TCP teardown in all TCPstreams.  Off by\n     default.\n\n  - -v Verbosity: Increase the level of output messages.\n\n  - -w write content: Write the content strings to a file called 'all.re'\n\n  - -W Window: The window, or duration, in seconds of a scan attack.\n\n  - -Z Reply Chance: chance that a scan will have a reply.\n     In other words, chance the target port is open\n     (default 20%).\n\n\nExamples:\n---------\n\nNOTE: all examples assume you have installed the sniffles package.\n\nTo generate a pcap from a single file of regular expressions with 10\nstreams where every packet matches a rule\n\n  `sniffles -c 10 -f myre.re -m`\n\nTo generate a pcap from a single snort rule file where every packet\nalmost matches a rule\n\n  `sniffles -c 10 -f myrules.rules`\n\nTo generate a pcap from multiple snort rule files in a single\ndirectory where every packet matches a rule.\n\n  `sniffles -c 10 -d myrulesdir -m`\n\nTo generate the same pcap as above, using the same rules, but with\nrandom content (Content is random, headers will still follow the\nrules--does not work with regex or Sniffles rules):\n\n  `sniffles -c 10 -d myrulesdir -r`\n\nTo generate a pcap with 10 streams (1 packet each) and with random\ndata:\n\n  `sniffles -c 10`\n\nTo generate a pcap with 10 streams where 50% of streams will be the \nbackground traffic and the rest of the streams will contain packets \nmatching a rule:\n\n  `sniffles -c 10 -B 50 myrules.rules`\n\nTo generate a pcap with 10 streams, each stream with 5 packets, with\nACKs and handshake and teardown as well as a fixed length of 50 for\nthe data in each data-bearing packet:\n\n  `sniffles -c 10 -p 5 -l 50 -t -T -a`\n\nTo generate a pcap with 20 random streams with a home network of\n192.168.1-2.x:\n\n  `sniffles -c 20 -h 192.168.1,192.168.2`\n\nTo generate a pcap with 20 random streams with a home network of\n192.168.1.x for IPv4 and 2001:8888:8888 for IPv6 with 50% of traffic\nIPv6:\n\n  `sniffles -c 20 -h 192.168.1 -H 2001:8888:8888 -i 50`\n\nTo generate a 5 second packet capture of random packets with an\naverage lapse between packets of 100 microseconds:\n\n  `sniffles -D 5 -L 100`\n\nTo generate a pcap that will create one packet matching each rule in a\nrule file (or regex file) in sequence:\n\n  `sniffles -f myrules.rules -e`\n\nTo generate a pcap that will create a packet for every possible branch\nof a regex for each regex in a set of regex and then save that file to\na pcap named everything.pcap is as below.  However, this function\ncan run in exponential time if the regex has a large amount of\nmin-max couning so it may take a long time to run.  Further,\nall other options except the two illustrated below are ignored.\n\n  `sniffles -f myrules.rules -o everything.pcap -E`\n\nTo generate random traffic with a scan attack occuring 2 seconds in\nand lasting for 2 seconds with 1000 scan packets per second and with\nthe entire capture a duration of 5 seconds and lapse time of 50us and\nwith starting port 80 (sequentially searching ports from 80):\n\n  `sniffles -D 5 -O 2 -W 2 -I 1000 -L 50 -s 192.168.1.2 -P 80`\n\nSimilar to above, but will create multiple scan attacks, each with\nduration of 1 second, and an average offset between attacks of 2\nseconds.  Further, only scans the designate ports.  Also targets IP\naddress in range 192.168.1.0-255 randomly.\n\n  `sniffles -D 8 -O 2 -W 1 -I 10 -L 50 -s 192.168.1 -P 80,8080,8000,8001`\n\n\nSniffles Rule Format:\n---------------------\n\nSniffles supports several rule formats.  First, Sniffles can parse Snort\nrules, and regular expressions (at one per line).\nIn addition to this, Sniffles also has its own rule format that\ncan be used to explicitly control traffic.  This is done through the use\nof xml files that will describe the traffic.  When this format is used\nthe other options for Sniffles may be irrelevant.  Example rule files can\nbe found in the examples directory.  These rule files are used simply\nby designating the rule file with the -f option (i.e. sniffles -f rules.xml)\n\nThe Sniffles rule format is as follows:\n```xml\n\u003c?xml version=\"1.0\" encoding=\"utf-8\"?\u003e\n\u003cpetabi_rules\u003e\n  \u003crule name=\"test\" \u003e\n    \u003ctraffic_stream proto=\"tcp\" src=\"any\" dst=\"any\" sport=\"any\"\n    dport=\"any\" handshake=\"True\" teardown=\"True\" synch=\"True\" ip=\"4\"\u003e\n      \u003cpkt dir=\"to server\" content=\"/abc/i\" fragment=\"0\" times=\"1\" /\u003e\n      \u003cpkt dir=\"to client\" content=\"/def/i\" fragment=\"0\" times=\"1\" /\u003e\n    \u003c/traffic_stream\u003e\n    \u003ctraffic_stream proto=\"tcp\" src=\"any\" dst=\"any\" sport=\"any\"\n    dport=\"any\" handshake=\"True\" teardown=\"True\" synch=\"True\"\u003e\n      \u003cpkt dir=\"to server\" content=\"/abc/i\" fragment=\"0\" times=\"1\" /\u003e\n      \u003cpkt dir=\"to client\" content=\"/def/i\" fragment=\"0\" times=\"1\" /\u003e\n    \u003c/traffic_stream\u003e\n  \u003c/rule\u003e\n\u003c/petabi_rules\u003e\n```\n\nIn detail, the tags work as follows:\n\n- `\u003cpetabi_rules\u003e \u003c/petabi_rules\u003e`:  This defines all of the rules for this\n  rules file.  There should only be one set of these tags opening and\n  closing all of the designated traffic streams.\n    - `\u003crule \u003e \u003c/rule\u003e`: Designates a single rule.  A single rule can generate\n      an arbitrary number of traffic streams or packets.  May have any number\n      of rules in a single file.\n        - Options:\n            - name: The name for this rule.  Mostly for documentation, no real\n              function.\n        - `\u003ctraffic_stream\u003e \u003c/traffic_stream\u003e`: A traffic stream defines traffic\n          between two endpoints.  All pkts designated within a single traffic\n          stream will share the same endpoints.  Any number of traffic streams\n          can be designatted for a given rule.  Different traffic streams within\n          the same rule may have different end-points or not depending on the\n          settings below.\n            - Options:\n                - typets: Specify which type of traffic stream we will use to\n                  generate packet. Currently, we have Standard, ScanAttack and\n                  BackgroundTraffic.\n                - scantype: 1==Syn scan (default) 2 == Connection scan.\n                  It is used with ScanAttack.\n                - target: Specify the target ip address for Scan Attack.\n                - targetports: For a scan attack. Provide a comma-sep list of\n                  possible ports, or a single starting port.  Otherwise ports will\n                  be scanned at random.  If a single starting port is provided,\n                  then ports will be scanned in order from that point to 65535,\n                  after which it will roll back to the starting point. This option\n                  is used together with typets being 'ScanAttack'\n                - srcport: Specify the source port for Scan Attack.  Random by default\n                - duration: The window, or duration, in seconds of a scan attack\n                  if typets is 'ScanAttack'\n                - intensity: Intensity of scan attack if typets is 'ScanAttack'.\n                - offset: Offset before starting a scan attack.  Also used when\n                  inserting multiple scans into the traffic.\n                - replychance: Chance that a scan will have a reply.\n                  In other words, chance the target port is open\n                  (default 20%). It is used with ScanAttack.\n                - proto: Designates the protocol of this traffic stream.\n                  Should be TCP or or UDP or ICMP (not tested).\n                - src: Source IP address.  May be an address in xxx.xxx.xxx.xxx\n                  format, $EXTERNAL_NET (for an external address--assumes a home\n                  network has been designated), $HOME_NET, or any (randomly\n                  selects IP address).\n                - dst: Destination IP Address.  Same as Source IP Address.\n                - sport: Source port (assumes TCP or UDP).  Can use snort port\n                  formatting which can be a comma separated list in brackets\n                  (i.e. [80,88,89]), a range (i.e. [10:1000]), or any\n                  (i.e. random pick from 0-65535).\n                - dport: Destination Port as per sport.\n                - handshake: Will generate a TCP Handshake at the start of the\n                  stream.  If excluded, there will be no handshake.  Valid values\n                  are true or false.  Default is false.\n                - latency: set the average latency between packets (in microseconds).\n                - teardown: Will close the stream when all traffic has been sent\n                  by appending the TCP teardown at the end of the traffic stream.\n                  Valid values are true or false.  Default is false.\n                - synch: Traffic streams are synchronous or not.  When true, one\n                  traffic stream must finish prior to the next traffic stream\n                  starting.  When false, all contiguous streams that are false\n                  (i.e. asynchronous) will execute at the same time.\n                - tcp_overlap: The default value is false. When true, from the\n                  second packet will be appended one extra content and the tcp\n                  sequence number will be reduced by one to simulate the tcp\n                  overlapping sequence number.\n                - ipv: Designate IPv4 or IPv6.  Valid options are 4, or 6.\n                  Default is 4.\n                - out_of_order: Randomly have packets arrive out-of-order.\n                  Note, this only works with packets that use the 'times'\n                  option.  Further, this option should also be used with ack so\n                  that the proper duplicate acks will appear in the traffic trace.\n                  Valid values are true or false.  Default is false.\n                - out_of_order_prob: Set the probability that packets will arrive\n                  out-of-order.  For example, 10 would mean that there is a 10%\n                  chance for each packet to arrive out of order.  Out-of-order\n                  packets arrive after all of the in-order packets.\n                  Further, they are randomly mixed as well.  Thus,\n                  if the first packets 2 and 5 of 10 packets are determined to be\n                  out of order, they will arrive last of the 10 packets\n                  (slots 9 and 10) and will be in an arbitrary order\n                  (i.e. 5 may come before 2 or vice versa).  The value\n                  for this must be between 1 and 99.  Default is 50.\n                - packet_loss: Randomly have packets be dropped (i.e. not arrive).\n                  This only works with the 'times' option.  Further, this option\n                  should also be used with the ack option set to true so that\n                  duplicate acks will appear in the traffic trace.  Valid values\n                  are 1 to 99 representing the chance that a packet will be dropped.\n                  Note, the packet drop only happens on data-bearing packets, not\n                  on the acks.\n                - ack: Have every data packet in this flow be followed by\n                  an ACK from the server.  Valid values are true or false.\n                  Default is false.\n                - percentage: This only applies for BackgroundTraffic and there should\n                  be only one rule of BackgroundTraffic in a rule file or directory.\n                  The percentage indicates percentage of background traffic stream\n                  to be created in total traffic stream.\n                - http: Percentage distribution of http application protocols in\n                  background traffic stream.\n                - ftp: Percentage distribution of ftp application protocols in\n                  background traffic stream.\n                - pop: Percentage distribution of pop application protocols in\n                  background traffic stream.\n                - smtp: Percentage distribution of smtp application protocols in\n                  background traffic stream.\n                - imap: Percentage distribution of imap application protocols in\n                  background traffic stream.\n            - `\u003cpkt \u003e \u003c/pkt\u003e`:  This directive designates either an individual\n              packet or a series of packets.  The times feature can be used to have\n              one \u003cpkt\u003e \u003c/pkt\u003e directive generate several packets.  Otherwise, it is\n              necessary to explicitly designate each packet in each direction.\n                - Options:\n                    - dir: The direction of the packet.  Valid values are to server\n                      or to client.  The inititial src IP is considered the client,\n                      and the intitial dst IP the server.  Thus 'to server' sends a\n                      packet from client to server and 'to client' send a packet\n                      from server to client.  Default is to server.\n                    - content: Regular expression designating the content for this\n                      packet.  Size of the packet will depend on the regular\n                      expression.\n                    - fragment: Whether or not to fragment this packet.\n                      Only works with ipv4.  Should have a value larger than 2.\n                      Will create as many fragments as are valid or as designated\n                      (whichever is smaller).  Default value is 0 meaning no\n                      fragments.\n                    - ack: Send an ack to this packet or not.  Valid values are\n                      true or false.  Default is false.\n                    - split: Split the content among the designated number of\n                      packets.  By default all content is sent in a single\n                      packet (fragments are small exception to this rule).\n                    - times: Send this packet x times.  Default value is 1,\n                      a positive value will send exactly x packets (possibly\n                      with acks if ack is true), while a negative number will\n                      send a random number of packets between 1 and abs(-x).\n                    - ttl: set time to live value for packet. By default,\n                      sniffles will generate random TTL value.\n                    - ttl_expiry: simulate the ttl expiry attack by breaking\n                      packets into multiple packet with one malicious packet\n                      between two good packet. By default, the value is 0\n                      (No malicious packet). If the value is nonzero, it will\n                      insert malicious packet with this ttl equals ttl_expiry\n                      value. If the ttl value is set, good packet will be set\n                      with new ttl value\n\nFinal Notes: The new rule format is just a beginning and may contain problems.\nPlease alert me of any inconsitencies or errors.  Further, the intent is to\nexapand the options to provide more and more functionality as needed.\nPlease contact me with desired features.  Finally, this product is\nprovided as is.  There is no guaranttee of functionality or\naccuracy.  Feel free to branch this project to meet your own needs.\n\nCredits:\n--------\n\nThis application has been brought to you by Petabi, Inc. where we make\nReliable, Realistic, and Real-fast security solutions.\n\nAuthors:\n\n- Victor C. Valgenti\n- Min Sik Kim\n- Tu Le\n- Moosuk Pyun\n\nNew Features:\n-------------\n\n- 11/21/2014: Version 1.4.0 Added traffic splitting and traffobot for\n   bi-directional traffic generation.  Fixed bug where an exception was\n   thrown when the amount of traffic generated could fit in a single\n   traffic write call. Reformatted and enabled usage.  Finally, added\n   unit tests for traffobot and XML parsing.\n\n- 02/03/2015: Version 2.0.  Completely rewrote how streams work in order to reduce\n   memory requirments when generating large streams using special rules.  Currently,\n   can handle around 2-3 million concurrent flows before things bog down.  I have\n   added some features to try and help for when creating large flows.  First,\n   generate with somthing like a concurrency of 2-3 million flows.  Also, do not use\n   teardown for these flows.  A fraction of the flows will last from the beginning\n   through to the end of the capture while the remainder will be closed out every\n   batch period.  I will work on making this more efficient, but managing\n   all of the complex options in Sniffles now cannot really be done cheaply in\n   memory.  The only other solution is to get a beefier machine with more RAM.\n   This version also contains a variety of fixes.\n\n- 02/11/2015: Added probability to out-of-order packets to allow the frequency\n   of out of order packets to be tuned.\n\n- 03/05/2015: Changed TCP teardown to standard teardown sequence.\n   Now allow content to be spread across multiple packets without using fragments.\n\n- 04/09/2015: Fixed scan traffic, it was partially broken during one of the previous\n   changes.  The pcap starting timestamp now defaults to the current time and can\n   be set with the -g option.  Finally, the 3rd packet in the 3-way tcp handshake\n   will now be data-bearing if the client is to send data first.\n\n- 05/22/2015: Rewrote rule-parsing to simplify the ability to extend rule\n   the rule parser to accomodate more formats.  Embedded nfa traversal and\n   pcre directly into sniffles.  Cleaned up code and prepared it for the\n   public.\n\n- 05/27/2015: Updated documentation, merged in pcre libraries and\n   nfa construction to make sniffles a self-contained package.\n   Added the Regex Generator and the Random Rule Generator as\n   a part of the Sniffles package.  Updated version to 3.0.0\n   and published to github.\n\n- 08/12/2015: Implemented a large number of bug fixes and new\n   features.  Fundamentally changed how streams and flows are\n   handled to allow for improved extensibility.  Added per\n   flow latency.  Updated documentation. \n\nRegular Expression Generator\n============================\n\nThis is a simple regular expression generator.\nIt creates regular expressions either completely randomly, or\nbased on a serires of distributions.\nThe controls that can be placed on how the regular expressions are\ngenerated are structural rather than contextual.  In other words,\nthere is no effort to make certain string tokens appear in\nthe generated regular expressions.  However, the probability\ndistributions can be tweeked to affect the types of features\nfound in the rules like character classes, alternation, repetition, etc.\n\nInstall\n-------\n\nWill be automatically installed with the rest of Sniffles.\n\n\nOptions\n-------\n\nregexgen--Random Regular Expression Generator.\n\n    usage: regexgen [-C char distribution] [-c number regex]\n    [-D class distribution] [-f output re file]\n    [-l lambda for length generation] [-M maximum regex length]\n    [-m minimum regex length] [-n negation probability]\n    [-o options chance] [-R repetition chance] [-r repetition distribution]\n    [-t re structural type distribution] [-?] [-g]\n\n-    -C Character Distribution: This sets the possibility of seeing\n    particular characters or character types.  See a brief explanation of\n    distibutions below for examples on how to use this.  By default\n    this distribution is an equal distribution.  This distribution\n    has five slots: ASCII Characters, Binary characters in \\x00 format,\n    Alphabetical letters (upper or lower case), Digits, and substitution\n    classes (like \\w).  An example input to this would be \"10,20,10,40,20\"\n    which would mean 10% chance any generated char would come from 10% ASCII,\n    20% binary, 10% letters, etc.  One Caveat is that ASCII chars that\n    might cause problems with regular expression (like `[' or '{')\n    are converted to hex representation (\\x3b for example).\n-    -c Number of regular expressions to generate.  Default is one.\n-    -D Class Distribution: There are only two slots in the class\n    distribution.  The first slot is the probability that the class is\n    comprised of some number of randomly generated characters.  The\n    second slot is the probability that the class is comprised of\n    ranges (like a-z).\n-    -f Output file name.  This sets the name of the file where the\n    regular expressions are stored.  The default is a file named rand.re\n    in the current working directory.\n-    -g Groups: All regular expressions will have a common prefix with\n    at least one or more other regular expressions (as long as there are\n    more than one regex.)  A common prefix is just a regular expression\n    that is the same for some set of regular expressions.  The total\n    number of possible common prefixes is from 1 to 1/2 the size of the\n    total regular expressions to generate.  The default value for this\n    option is false.  This option takes no parameters.\n-    -l Lambda for length:  This is the mean length for an exponentional\n    distribution of regular expression lengths.  The default value is 10.\n-    -M Maximum Regex Length: make regular expressions at most this\n    structural length or shorter. By default, maximum length is not limited.\n-    -m Minimum Regex Length: make regular expressions at least this length\n    or longer. Defaults to 3, and will automatically use a value of 1\n    if the input is zero or less.\n-    -n Negation probability: The probability that a character class will\n    be a negation class ([^xyz]) rather than a normal character class ([xyz]).\n    Default probability is 50%.\n-    -o Option chance:  This is the chance for an option to be appended\n    to the regular expression.  Current options are 'i', 'm', and 's'.\n    A random number of options are added to the list with those options\n    chose through a uniform distribution.\n-    -R Repetition chance: The chance of repetition occuring after\n    any structural component has been added to the regular expression.\n-    -r Repetion distribution: The distribution of repetition structures.\n    The slots are: Zero to one (?), Zero to many (*), one to many (+), and\n    counting ({x,y}).\n-    -t Re structural type distribution: The distribution for the\n    primary structural components of the regular expression.  These\n    are comprised of three slots, or categories: characters, classes,\n    and alternation.  Note, alternation will simply generate a smaller\n    regular expression up to the size of the remaining length left to\n    the re.  In other words, alternation will result in several smaller\n    regular expressions being joined into the overall regular expression.\n    The alternation uses the exact same methodology in creating those\n    smaller regular expressions.\n-   -? Print this help.\n\n    This generator will create random regular expressions.  It is possible\n    to tune the structures within the regular expressions to a probability\n    distribution, but currently not the content.  This is desirable in\n    order to explore the maximum diversity in possible regular expressions\n    (though not necessarily realistic regular expressions).\n    The distributions are handled by creating a list of probabilities for\n    the various possibilities, or slots, for a particular distribution.\n    These are added as command line arguments using a simple string\n    list like: \"10,30,40,20\".  The list should have as many values\n    as it has slots.  The total of all values in the list should be\n    100 and there should not be any fractions.  The value at each slot\n    is the probability that that slot will be chosen.  For example,\n    the base RE structural type distribution has three slots.  The\n    first slot is the probability that the next structure type is\n    a character (where a character can be a letter, digit, binary, ASCII,\n    or substitution class (like \\w)).  The second slot is for character\n    classes like [ab@%], [^123], or [a-z].  The final slot is the probability\n    of alternation occuring like (ab|cd).  With these three slots you can tune\n    how often you would like the structures to appear in your regular\n    expressions.  For example, regexgen -c 10 -t \"80,10,10\" would create\n    10 regular expressions where 80% of the structures used would be\n    characters, 10 percent would be character classes, and 10% alternation.\n\nRandom Rule Generator\n=====================\n\nThe Random Rule Generator provides a mean for creating a number of randomly\ngenerated rules with which to test a particular platform.  Currently,\nrules generated meet either the Snort rule format or are just lines\nof text.  In order for the Random Rule Generator to work you must have\na set of features defined.  Example features can be found in the\nexample_features folder and are further described below.\n\nInstall\n-------\n\nAutomatically installed with Sniffles\n\nNote: The Random Rule Generator makes use of the\nRandom Regex Generator for creating content of any kind.\n\nOptions\n-------\n\nRandom Rule Generator\n\nusage: rulegen -c [number of rules] -f [feature set]\n        -o [outfile] [-s]\n\n- -c  Number of rules: The number of rules to generate.\n      Default is one.\n- -f  Feature set: The file containing the feature set description.\n      Please see the documentation for further explanation of\n      feature sets and how to describe them.\n- -o  Output file: output file to which rules are written.\n      Default is rules.txt\n- -s  Snort rule format: write rules to a snort rule format.\n      No parameters, defaults to off.  When off, rules are just\n      converted to a string format, whatever that may be based on\n      the feature parser.\n\nFeature Set\n-----------\n\nFeatures are used to describe potential aspects of rules used in\nIDS.  For example, a packet filter might use rules that target\nIP source and destination address.  In that case, it would be possible\nto create a feature set describing how those IP source and destination\naddresses should be generated.  More specifically, we make the\ndistinction between simple rules and complex rules.  The difference\nbetween these two is the presence of ambiguous notations.  For\nexample, if we possessed an ambiguous notation of * to mean any\nIP address, then we could say that * represents an ambigous notation.\nFurther, we know that a rule can also use a non-ambigous notation,\nlike 192.168.1.1.  That would represent a simple IP address as\nit is a single fixed IP address without any possible ambiguous\nnotation.  We then further define the range of the particular\nfeatures (i.e. IP addresses across the entire 4 billion plus\npossible IPv4 addresses, or just some subset of that).\n\nThe features ultimately define all of the aspects of for an\narbitrary rule.  Given a feature set and a valid rule format,\nit becomes possible to randomly generate an arbitrary number\nof rules that use those features. In this manner, it is possible \nto generate test rule sets that will examine the IDS across a\nvector that is often missed.\n\nFeatures are defined in a semi-colon separated list one feature per line\ntype=feature; list of arguments in key=value pairs, lists using python\nformatting (i.e. [a, ..., z]).  Feature define specific portions of a\ntarget rule format.  Features may be extended to add more functionality.\nOptionally, one can extend the ability of the features by creating a new\nrule format.\n\nCurrent Feature Types:\n\n1. Feature -- generic feature\n2. Content -- Content Feature\n3. IP -- IP Feature\n4. Protocol -- Protocol Feature\n\nAmbiguous lists should be written as lists like [x:y]\nfor a range, [x,y] for a list, {x1,x2,x3} for a set\nor just * for a wildcard or similar single option.\n\nExample about ambiguous list:\n```\nambiguity_list=[[2:9]]\nit will generate [3:4], [5:6], etc (any [x:y] such that\nx \u003c= y and x \u003e= 2 and y \u003e x and y \u003c= 9).\n\nambiguity_list=[[3,20]]\nit will generate [3,9,10], [3,4,8,12], etc (any list [x1,x2,x3,..]\nsuch that all values falling between 3 and 20.\n\nambiguity_list=[{5,6,10}]\nit will generate a subset of {5,6,10} such as {5,10}, {5}.\n\nambiguity_list=[[2:9],[3,20],{5,6,11}]\nit will pick one of [2:9], [3,20], and {5,6,11} and\ngenerate a corresponding instance (see above)\n```\n\nExample for feature file:\n```\ntype=protocol; name=proto; proto_list=[TCP,UDP,ICMP]; complexity_prob=0;ambiguity_list=None;\ntype=ip; name=sip; version=4; complexity_prob=100;\n```\nthe above defines two features, a protocol features and a source\nIP feature.  The protocol is named proto, which is important\nonly for the rule formatter, and the valid protocols are:\nIP, TCP, UDP, and ICMP.  The IP feature is defined as IPv4\nand all rules will be complex.  IP complexity is already\npart of the class and need not be added in the feature definition.\nThis will create IP addresses using CIDR notation.\n\nGeneric Feature Attributes:\n\n- Feature_name: Informational attribute, potentially valuable for\n                the rule formatter.\n- lower_bound: The lower boundary of possible values.  Assumes\n               the feature is a number.\n- upper_bound: Opposite of lower_bound.\n- complexity_prob: The probability of using complex features for a\n                   rule.  From 0 to 100.  Defaults to 0.\n                   When complex features are used, an ambigous notation\n                   is randomly selected from the ambiguity list, or\n                   if the feature defines a specific ambiguity (like\n                   IP addresses) then that is used.  When complex\n                   features are not used, a value is generated using\n                   the boundaries, or, in the case of Content,\n                   using a set of distribution values that will\n                   restrict the generated string to a series\n                   of ASCII characters.\n- ambiguity_list: A list of possible ambiguous notations.\n                  Comma-separated list using python formatting\n                  (i.e. [a, b, c]).\n- toString(): Prints out an instance of a rule given this particular\n              feature set.\n\nContent Feature -- Inherits from Feature:\n- regex: True or False.  If True, will use pcre formatting for\n         regex as well as possible add the options, i, s, or\n         m to the regex.\n- length: Defines the average length of the generated\n          content.\n-  min_regex_length: Defines the minimum length of the regex.\n\nProtocol Feature -- Inherits from Feature:\n- proto_list: Defines the list of possible protocols,\n                 as a comma-separated list (i.e [TCP,\n                 UDP]).\n\nIP Feature -- Inherits from Feature:\n- version: 4 for IP version 4, 6 for IP version 6.\n           Defaults to version 4.\n\nAmbigous notation for ranges, lists, sets:\n\nRange Notation:\n  [x:y]  means from x to y (inclusive).\n\nList notation:\n  [x,y] means list of some randomly determined number of values\n  where each value is greater than or equal to x\n  and smaller than or equal to y.\n\nSet notation:\n  {x1,x2,x3,x4} means a set of value x1, x2, x3, x4.  It\n  will generate a subset set of original set.\n\nPlease look at the example feature sets in the\nexample_features folder for further examples.\nMore details as well as the academic theory\nbehind this are scheduled to be added later.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpetabi%2Fsniffles","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpetabi%2Fsniffles","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpetabi%2Fsniffles/lists"}