New Open-Source IDS Tools

Threats & Defenses

Dalton and Flowsynth help create and test packet captures

By: Counter Threat Unit Research Team

When crafting intrusion detection system (IDS) and intrusion prevention system (IPS) rules for engines such as Suricata and Snort, it is imperative that the rules behave and perform as expected. Validation requires testing, but capturing the malicious or applicable traffic can be difficult. Even when a packet capture (pcap) is available or saved, testing coverage with a current ruleset on one or more IDS devices can be onerous.

On November 16, 2017, Secureworks® released two open-source tools: Flowsynth and Dalton. These tools allow analysts to easily create and test network packet captures against IDS engines such as Suricata and Snort.

Flowsynth rapidly models network traffic and generates libpcap-formatted packet captures. It leverages the Scapy packet manipulation tool, but Flowsynth’s input is a text-based, structured intermediate language that is simple to create and understand. It allows for programmatic network flow definitions as well as ad hoc and custom network traffic creation.

Dalton allows analysts to quickly and easily run pcaps against an IDS engine using an existing ruleset and/or bespoke rules. Dalton supports an API but is most commonly used via a web interface that provides immediate and easily navigable feedback on submitted jobs. Dalton’s most common uses are testing rulesets (e.g., “What rules does this pcap trigger?”) and developing or troubleshooting signatures. It supports custom per-job configurations (e.g., suricata.yaml, snort.conf), enabling analysts to test configuration changes, variable changes, and/or IDS engine behavior. Dalton also provides a web-based front end for Flowsynth to create packet captures of simple and complicated network flows.

The open-source release of Dalton takes advantage of container technology. Using Docker with Docker Compose and an Internet connection, Dalton can be built and running in a matter of minutes.

Dalton and Flowsynth are based on tools that the Secureworks Counter Threat Unit™ (CTU) research team has been using internally for many years. They have been so useful that Secureworks decided to make them available to the network IDS community.

Dalton – https://github.com/secureworks/dalton

Flowsynth – https://github.com/secureworks/flowsynth

Products You May Like

Articles You May Like

Former employee blamed for hack of WordPress plugin maker
Two men charged with hacking into SEC in stock-trading scheme
New Android Malware Apps Use Motion Sensor to Evade Detection
Frequent Fortnite Player? 4 Tips to Combat the New Attack on User Accounts
US Confirms Huawei CFO Extradition Plans

Leave a Reply

Your email address will not be published. Required fields are marked *