Snort mailing list archives
Re: Developing a TCP/IP connections statistics plugin
From: Phuong Cao <phuong.m.cao () gmail com>
Date: Tue, 28 Oct 2014 11:51:12 -0700
Hi Carter, I plan to define my statistics to _SessionControlBlock (session_common.h) and update the statistics whenever I see a new TCP packet in ProcessTCPStream function (snort_stream_tcp.c). This would result in a patch definitely. What would you suggest to add the statistics as a dynamic plugin? Your pointers are very helpful. Thanks. - PC On Tue, Oct 28, 2014 at 9:53 AM, Carter Waxman (cwaxman) <cwaxman () cisco com> wrote:
Hi Phuong, We actually collect statistics on TCP as well. This is all functionality handled by the perfmon preprocessor, and you may want to look into going that route. Have a look at perf-base.{c,h}, as this is where we store and manipulate such things. Also, look into the way we track streams in snort_stream_tcp.c. You will find some of the connection accounting you are looking for handled by this component. Let us know if there is any thing else! ‹ Carter On 10/27/14, 8:17 PM, "Phuong Cao" <phuong.m.cao () gmail com> wrote:Hi there, I am having some questions when building a TCP/IP connection statistics plugin for Snort. My TCP/IP connection statistics plugin collects statistics such as number of exchanged packets, packet sending rates, inter packet arrival time, and so on for a TCP/IP connection (which is a tuple of src_ip:src_port and dst_ip:dst_port). I see that Snort already has a performance counter for IP (function UpdateFlowIPStats() in the file perf-flow.c). I am thinking of patching this file (that is updating the sfBTStats structure to support my statistics). Although patching might work, I think a dynamic plugin is a better approach. Is the proposed approach a right direction to go? I appreciate any suggestions. Thanks - Phuong -------------------------------------------------------------------------- ---- _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Developing a TCP/IP connections statistics plugin Phuong Cao (Oct 27)
- Re: Developing a TCP/IP connections statistics plugin Carter Waxman (cwaxman) (Oct 28)
- Re: Developing a TCP/IP connections statistics plugin Phuong Cao (Oct 28)
- Re: Developing a TCP/IP connections statistics plugin Carter Waxman (cwaxman) (Oct 28)