For a current IPS/IDS project I was looking for a test system to benchmark various IDS/IPS engines. The idea was to record network captures carrying malware samples in HTTP, SMTP or other protocols, and replaying them against the various detection engines. Problem with that is that tools like tcpreplay, bittwist or Ostinato all replay the trace on a single network card, which means that both “client” and “server” side of the communication are injected into the same NIC of the detection engine.
What I want is a packet replay engine that uses two NICs to replay the packet capture into the detection engine from both sides, simulating a “real” conversation.That engine does exist, and it is called Tomahawk Test Tool created by TippingPoint. Unfortunately, it doesn’t seem to be updated anymore, with the last change being from 2006. And, to make things a bit more complicated, it doesn’t easily compile on current Debian systems (in my case, this is Debian 7, or “Wheezy”) because the libraries it uses have been changed in the meantime. I guess it will be the same with later versions.
So here is my tutorial of how to setup Tomahawk on Wheezy from scratch (Update: this only seems to work on 32 bit Debian, not 64 bit – see comments by Sebastian below):
- Install the Debian base system, with no optional packages at all (maybe the SSH service, but no Desktop, DNS server, etc.). I usually deselect all of them, including SSH.
- After that being done, add a couple of packages that are necessary for compiling Tomahawk:
apt-get install ssh gcc flex bison make
- Go to /usr/src and get the Tomahawk source:
cd /usr/src wget http://prdownloads.sourceforge.net/tomahawk/tomahawk1.1.tar.gz
- Get old LibPCAP and LibNet libraries. Since they are outdated I put them on my own server for easier access, but you can search for them yourself in other places if you prefer that, of course.
wget http://www.packet-foo.com/tomahawk/libnet-1.0.2a.tar.gz wget http://www.packet-foo.com/tomahawk/libpcap-0.8.1.tar.gz
- Unpack everything:
tar xzf tomahawk1.1.tar.gz tar xzf libnet-1.0.2a.tar.gz tar xzf libpcap-0.8.1.tar.gz rm *.gz
- Compile LibPCAP:
cd /usr/src/tomahawk/libpcap-0.8.1 ./configure make make install
- Compile LibNet
cd /usr/src/tomahawk/Libnet-1.0.2a ./configure make make install
- Compile Tomahawk:
cd /usr/src/tomahawk/tomahawk1.1 make make install
./tomahawk -l 1 -f test.pcap
On the box I installed Tomahawk I have 3 interfaces. I use eth0 as management interface, while eth1 and eth2 are my replay interfaces. A typical replay command would look like this:
tomahawk -l 1 -f ipstest1.pcap -i eth1 -j eth2
I can recommend the following Whitepaper published by the ICSA labs about the inner workings of Tomahawk.