Snort mailing list archives
Re: Snort3 Plugin DPX only get a small amount of packets
From: Jianyu Li via Snort-users <snort-users () lists snort org>
Date: Tue, 12 Mar 2019 10:40:49 +0000
Hi Carter, Thank you very much for your help! I will look into them. Best regards, Li ________________________________ From: Carter Waxman (cwaxman) <cwaxman () cisco com> Sent: 11 March 2019 17:50:22 To: Jianyu Li; snort-users () lists snort org Subject: Re: [Snort-users] Snort3 Plugin DPX only get a small amount of packets The path for processing is roughly {packet loop or stream reassembly delivers packet} -> Snort::inspect() -> DetectionEngine::inspect() -> InspectorManager::execute() -> { eval(p) on all relevant inspectors. This includes Dpx::eval }. IT_PROBE will send all wire packets from the main hook should through that path but not reassembled packets. InspectorManager::execute() is where the decision is made whether to call a particular inspector or not. See src/network_inspectors/packet_capture/packet_capture.cc for an example of where we use this. See src/framework/inspector.h for the finer points on those definitions. From: Snort-users <snort-users-bounces () lists snort org> on behalf of Jianyu Li via Snort-users <snort-users () lists snort org> Reply-To: Jianyu Li <jli31 () qub ac uk> Date: Monday, March 11, 2019 at 10:11 AM To: "snort-users () lists snort org" <snort-users () lists snort org> Subject: Re: [Snort-users] Snort3 Plugin DPX only get a small amount of packets Hi Carter, Thank you very much for the reply! I already updated to PROTO_BIT__TCP before, and after changing it to PROTO_BIT__ANY_TYPE, I only got 229 packets while the summary shows that there are 2739 packets in total. You mentioned about DetectionEngine::inspect(), is this the function who calls DPX to run eval()? I wanted to know which snort component will call the DPX when packet arrives. Is there a way for DPX to get all packets? I would be greatful if you could help me clear my mind. Thanks in advance! Best regards, Li ________________________________ From: Carter Waxman (cwaxman) <cwaxman () cisco com> Sent: 11 March 2019 13:14:35 To: Jianyu Li; snort-users () lists snort org Subject: Re: [Snort-users] Snort3 Plugin DPX only get a small amount of packets DPX is set to receive udp only by default. Update PROTO_BIT__UDP to PROTO_BIT__ANY_TYPE. Stream performs its reassembly and sends generated PDUs (passed via Packet*) to DetectionEngine::inspect(), which runs all of the relavent inspectors followed by rule evaluation, just as with wire packets. Inspectors looking for stream-reassembled data will request PROTO_BIT__PDU. -Carter From: Snort-users <snort-users-bounces () lists snort org> on behalf of Jianyu Li via Snort-users <snort-users () lists snort org> Reply-To: Jianyu Li <jli31 () qub ac uk> Date: Monday, March 11, 2019 at 4:19 AM To: "snort-users () lists snort org" <snort-users () lists snort org> Subject: Re: [Snort-users] Snort3 Plugin DPX only get a small amount of packets Hey guys, Any idea how snort passes packets to plugin inspectors? I read that Stream inspector is responsible for TCP reassembly, so is it also passing packets to other inspectors after reassembly of packets? Thanks Li ________________________________ From: Snort-users <snort-users-bounces () lists snort org> on behalf of Jianyu Li via Snort-users <snort-users () lists snort org> Sent: 08 March 2019 09:11 To: snort-users () lists snort org Subject: [Snort-users] Snort3 Plugin DPX only get a small amount of packets Hi, I run the snort3 plugin but only got 80 packets in my plugin. The total amount of packet in summary is 2739. The question is why I can only got 80 packets instead of all packets in the pcap file. I am not sure what's the mechanism in Snort3 to pass packets to different components. The eval function in my plugin is just one line: void Dpx::eval(Packet* p) { ++dpxstats.total_packets; } The output showed that there are only 80 packets passed to the dpx: -------------------------------------------------- dpx packets: 80 -------------------------------------------------- The command I run is: root@ubuntudesk1:~# snort --plugin-path /usr/local/lib -c /usr/local/etc/snort/snort.lua --lua "dpx={}" -r iec61850.pcap -------------------------------------------------- o")~ Snort++ 3.0.0-249 -------------------------------------------------- Disabling profiler because signal 27 handler is already in use. Loading /usr/local/etc/snort/snort.lua: ssh pop binder stream_tcp gtp_inspect dce_http_proxy stream_icmp normalizer ftp_server stream_udp dce_smb dpx ips modbus rpc_decode latency wizard appid file_id ftp_data smtp back_orifice port_scan dce_http_server dce_tcp telnet ssl sip classifications http2_inspect http_inspect stream_user stream_ip dnp3 ftp_client stream references arp_spoof dns dce_udp imap stream_file Finished /usr/local/etc/snort/snort.lua. -------------------------------------------------- pcap DAQ configured to read-file. Commencing packet processing ++ [0] iec61850.pcap -- [0] iec61850.pcap -------------------------------------------------- Packet Statistics -------------------------------------------------- daq pcaps: 1 received: 2739 analyzed: 2739 allow: 2739 rx_bytes: 985615 -------------------------------------------------- codec total: 2739 (100.000%) arp: 46 ( 1.679%) eth: 2739 (100.000%) icmp6: 12 ( 0.438%) igmp: 4 ( 0.146%) ipv4: 2658 ( 97.043%) ipv6: 35 ( 1.278%) ipv6_hop_opts: 8 ( 0.292%) tcp: 2594 ( 94.706%) udp: 83 ( 3.030%) -------------------------------------------------- Module Statistics -------------------------------------------------- detection analyzed: 2739 -------------------------------------------------- latency total_packets: 2791 total_usecs: 14640 max_usecs: 103 -------------------------------------------------- host_tracker service_adds: 1 -------------------------------------------------- host_cache lru_cache_adds: 1 lru_cache_find_misses: 1 -------------------------------------------------- appid packets: 2693 processed_packets: 2693 total_sessions: 33 appid_unknown: 13 -------------------------------------------------- arp_spoof packets: 46 -------------------------------------------------- back_orifice packets: 75 -------------------------------------------------- binder packets: 25 inspects: 25 -------------------------------------------------- dpx packets: 80 -------------------------------------------------- normalizer test_ip4_opts: 4 test_tcp_options: 4 test_tcp_trim_win: 1 test_tcp_ts_nop: 1 -------------------------------------------------- port_scan packets: 2693 -------------------------------------------------- ssl packets: 48 decoded: 48 unrecognized_records: 48 max_concurrent_sessions: 1 -------------------------------------------------- stream ip_flows: 1 ip_total_prunes: 1 ip_idle_prunes: 1 icmp_flows: 4 icmp_total_prunes: 4 icmp_idle_prunes: 4 tcp_flows: 4 udp_flows: 16 udp_total_prunes: 11 udp_idle_prunes: 11 -------------------------------------------------- stream_icmp sessions: 4 max: 4 created: 4 released: 4 -------------------------------------------------- stream_ip sessions: 1 max: 1 created: 1 released: 1 -------------------------------------------------- stream_tcp sessions: 4 max: 4 created: 4 released: 4 timeouts: 2 instantiated: 2 setups: 4 restarts: 1 syn_trackers: 2 data_trackers: 2 segs_queued: 1929 segs_released: 1929 segs_used: 1929 rebuilt_packets: 52 rebuilt_bytes: 797387 client_cleanups: 3 server_cleanups: 3 syns: 2 syn_acks: 2 resets: 1 fins: 1 -------------------------------------------------- stream_udp sessions: 16 max: 16 created: 24 released: 24 timeouts: 8 -------------------------------------------------- wizard tcp_scans: 48 tcp_hits: 1 udp_scans: 83 -------------------------------------------------- Appid dynamic stats: unknown_app: flows: 12, clients: 0, users: 0, payloads 0, misc: 0 -------------------------------------------------- Summary Statistics -------------------------------------------------- timing runtime: 00:00:00 seconds: 0.216729 packets: 2739 pkts/sec: 2739 o")~ Snort exiting Thank you very much for any help and advices! Best regards, Li
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- Snort3 Plugin DPX only get a small amount of packets Jianyu Li via Snort-users (Mar 08)
- Re: Snort3 Plugin DPX only get a small amount of packets Jianyu Li via Snort-users (Mar 11)
- Re: Snort3 Plugin DPX only get a small amount of packets Russ via Snort-users (Mar 24)
- Re: Snort3 Plugin DPX only get a small amount of packets Jianyu Li via Snort-users (Mar 25)
- Re: Snort3 Plugin DPX only get a small amount of packets Russ via Snort-users (Mar 24)
- <Possible follow-ups>
- Re: Snort3 Plugin DPX only get a small amount of packets Carter Waxman (cwaxman) via Snort-users (Mar 11)
- Re: Snort3 Plugin DPX only get a small amount of packets Jianyu Li via Snort-users (Mar 11)
- Re: Snort3 Plugin DPX only get a small amount of packets Carter Waxman (cwaxman) via Snort-users (Mar 11)
- Re: Snort3 Plugin DPX only get a small amount of packets Jianyu Li via Snort-users (Mar 12)
- Re: Snort3 Plugin DPX only get a small amount of packets Jianyu Li via Snort-users (Mar 18)
- Re: Snort3 Plugin DPX only get a small amount of packets Carter Waxman (cwaxman) via Snort-users (Mar 18)
- Re: Snort3 Plugin DPX only get a small amount of packets Jianyu Li via Snort-users (Mar 19)
- Re: Snort3 Plugin DPX only get a small amount of packets Jianyu Li via Snort-users (Mar 19)
- Re: Snort3 Plugin DPX only get a small amount of packets Jianyu Li via Snort-users (Mar 11)
- Re: Snort3 Plugin DPX only get a small amount of packets Jianyu Li via Snort-users (Mar 11)