Dalton and Flowsynth help create and test packet captures
By: Counter Threat Unit Research Team
When crafting intrusion detection system (IDS) and intrusion prevention system (IPS) rules for engines such as Suricata and Snort, it is imperative that the rules behave and perform as expected. Validation requires testing, but capturing the malicious or applicable traffic can be difficult. Even when a packet capture (pcap) is available or saved, testing coverage with a current ruleset on one or more IDS devices can be onerous.
On November 16, 2017, Secureworks® released two open-source tools: Flowsynth and Dalton. These tools allow analysts to easily create and test network packet captures against IDS engines such as Suricata and Snort.
Flowsynth rapidly models network traffic and generates libpcap-formatted packet captures. It leverages the Scapy packet manipulation tool, but Flowsynth’s input is a text-based, structured intermediate language that is simple to create and understand. It allows for programmatic network flow definitions as well as ad hoc and custom network traffic creation.
Dalton allows analysts to quickly and easily run pcaps against an IDS engine using an existing ruleset and/or bespoke rules. Dalton supports an API but is most commonly used via a web interface that provides immediate and easily navigable feedback on submitted jobs. Dalton’s most common uses are testing rulesets (e.g., “What rules does this pcap trigger?”) and developing or troubleshooting signatures. It supports custom per-job configurations (e.g., suricata.yaml, snort.conf), enabling analysts to test configuration changes, variable changes, and/or IDS engine behavior. Dalton also provides a web-based front end for Flowsynth to create packet captures of simple and complicated network flows.
The open-source release of Dalton takes advantage of container technology. Using Docker with Docker Compose and an Internet connection, Dalton can be built and running in a matter of minutes.
Dalton and Flowsynth are based on tools that the Secureworks Counter Threat Unit™ (CTU) research team has been using internally for many years. They have been so useful that Secureworks decided to make them available to the network IDS community.
Flowsynth – https://github.com/secureworks/flowsynth