Snort mailing list archives
Re: Snort3 Plugin DPX only get a small amount of packets
From: Jianyu Li via Snort-users <snort-users () lists snort org>
Date: Mon, 25 Mar 2019 08:37:02 +0000
Hi Russ, Thank you very much! Yes I think I figure it out, Carter helped me to understand the process in Snort. I wrote a simple StreamSplitter for dpx and it works well! I didn't think of breaking in eval function before, that's a very good suggestion! Best regards, Li ________________________________ From: Snort-users <snort-users-bounces () lists snort org> on behalf of Russ via Snort-users <snort-users () lists snort org> Sent: 24 March 2019 20:11:25 To: snort-users () lists snort org Subject: Re: [Snort-users] Snort3 Plugin DPX only get a small amount of packets Hey Li, Did you figure this out? In general, and indirectly, stream_tcp will pass rebuilt packets (PDUs) to the service inspector but that depends on the StreamSplitter. The best way to figure out what's going on is to break in your eval function and examine the call stack. Hope that helps. Russ On 3/11/19 4:13 AM, Jianyu Li via Snort-users wrote: Hey guys, Any idea how snort passes packets to plugin inspectors? I read that Stream inspector is responsible for TCP reassembly, so is it also passing packets to other inspectors after reassembly of packets? Thanks Li ________________________________ From: Snort-users <snort-users-bounces () lists snort org><mailto:snort-users-bounces () lists snort org> on behalf of Jianyu Li via Snort-users <snort-users () lists snort org><mailto:snort-users () lists snort org> Sent: 08 March 2019 09:11 To: snort-users () lists snort org<mailto:snort-users () lists snort org> Subject: [Snort-users] Snort3 Plugin DPX only get a small amount of packets Hi, I run the snort3 plugin but only got 80 packets in my plugin. The total amount of packet in summary is 2739. The question is why I can only got 80 packets instead of all packets in the pcap file. I am not sure what's the mechanism in Snort3 to pass packets to different components. The eval function in my plugin is just one line: void Dpx::eval(Packet* p) { ++dpxstats.total_packets; } The output showed that there are only 80 packets passed to the dpx: -------------------------------------------------- dpx packets: 80 -------------------------------------------------- The command I run is: root@ubuntudesk1:~# snort --plugin-path /usr/local/lib -c /usr/local/etc/snort/snort.lua --lua "dpx={}" -r iec61850.pcap -------------------------------------------------- o")~ Snort++ 3.0.0-249 -------------------------------------------------- Disabling profiler because signal 27 handler is already in use. Loading /usr/local/etc/snort/snort.lua: ssh pop binder stream_tcp gtp_inspect dce_http_proxy stream_icmp normalizer ftp_server stream_udp dce_smb dpx ips modbus rpc_decode latency wizard appid file_id ftp_data smtp back_orifice port_scan dce_http_server dce_tcp telnet ssl sip classifications http2_inspect http_inspect stream_user stream_ip dnp3 ftp_client stream references arp_spoof dns dce_udp imap stream_file Finished /usr/local/etc/snort/snort.lua. -------------------------------------------------- pcap DAQ configured to read-file. Commencing packet processing ++ [0] iec61850.pcap -- [0] iec61850.pcap -------------------------------------------------- Packet Statistics -------------------------------------------------- daq pcaps: 1 received: 2739 analyzed: 2739 allow: 2739 rx_bytes: 985615 -------------------------------------------------- codec total: 2739 (100.000%) arp: 46 ( 1.679%) eth: 2739 (100.000%) icmp6: 12 ( 0.438%) igmp: 4 ( 0.146%) ipv4: 2658 ( 97.043%) ipv6: 35 ( 1.278%) ipv6_hop_opts: 8 ( 0.292%) tcp: 2594 ( 94.706%) udp: 83 ( 3.030%) -------------------------------------------------- Module Statistics -------------------------------------------------- detection analyzed: 2739 -------------------------------------------------- latency total_packets: 2791 total_usecs: 14640 max_usecs: 103 -------------------------------------------------- host_tracker service_adds: 1 -------------------------------------------------- host_cache lru_cache_adds: 1 lru_cache_find_misses: 1 -------------------------------------------------- appid packets: 2693 processed_packets: 2693 total_sessions: 33 appid_unknown: 13 -------------------------------------------------- arp_spoof packets: 46 -------------------------------------------------- back_orifice packets: 75 -------------------------------------------------- binder packets: 25 inspects: 25 -------------------------------------------------- dpx packets: 80 -------------------------------------------------- normalizer test_ip4_opts: 4 test_tcp_options: 4 test_tcp_trim_win: 1 test_tcp_ts_nop: 1 -------------------------------------------------- port_scan packets: 2693 -------------------------------------------------- ssl packets: 48 decoded: 48 unrecognized_records: 48 max_concurrent_sessions: 1 -------------------------------------------------- stream ip_flows: 1 ip_total_prunes: 1 ip_idle_prunes: 1 icmp_flows: 4 icmp_total_prunes: 4 icmp_idle_prunes: 4 tcp_flows: 4 udp_flows: 16 udp_total_prunes: 11 udp_idle_prunes: 11 -------------------------------------------------- stream_icmp sessions: 4 max: 4 created: 4 released: 4 -------------------------------------------------- stream_ip sessions: 1 max: 1 created: 1 released: 1 -------------------------------------------------- stream_tcp sessions: 4 max: 4 created: 4 released: 4 timeouts: 2 instantiated: 2 setups: 4 restarts: 1 syn_trackers: 2 data_trackers: 2 segs_queued: 1929 segs_released: 1929 segs_used: 1929 rebuilt_packets: 52 rebuilt_bytes: 797387 client_cleanups: 3 server_cleanups: 3 syns: 2 syn_acks: 2 resets: 1 fins: 1 -------------------------------------------------- stream_udp sessions: 16 max: 16 created: 24 released: 24 timeouts: 8 -------------------------------------------------- wizard tcp_scans: 48 tcp_hits: 1 udp_scans: 83 -------------------------------------------------- Appid dynamic stats: unknown_app: flows: 12, clients: 0, users: 0, payloads 0, misc: 0 -------------------------------------------------- Summary Statistics -------------------------------------------------- timing runtime: 00:00:00 seconds: 0.216729 packets: 2739 pkts/sec: 2739 o")~ Snort exiting Thank you very much for any help and advices! Best regards, Li _______________________________________________ Snort-users mailing list Snort-users () lists snort org<mailto:Snort-users () lists snort org> Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org<mailto:snort-users-leave () lists snort org> Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- Snort3 Plugin DPX only get a small amount of packets Jianyu Li via Snort-users (Mar 08)
- Re: Snort3 Plugin DPX only get a small amount of packets Jianyu Li via Snort-users (Mar 11)
- Re: Snort3 Plugin DPX only get a small amount of packets Russ via Snort-users (Mar 24)
- Re: Snort3 Plugin DPX only get a small amount of packets Jianyu Li via Snort-users (Mar 25)
- Re: Snort3 Plugin DPX only get a small amount of packets Russ via Snort-users (Mar 24)
- <Possible follow-ups>
- Re: Snort3 Plugin DPX only get a small amount of packets Carter Waxman (cwaxman) via Snort-users (Mar 11)
- Re: Snort3 Plugin DPX only get a small amount of packets Jianyu Li via Snort-users (Mar 11)
- Re: Snort3 Plugin DPX only get a small amount of packets Carter Waxman (cwaxman) via Snort-users (Mar 11)
- Re: Snort3 Plugin DPX only get a small amount of packets Jianyu Li via Snort-users (Mar 12)
- Re: Snort3 Plugin DPX only get a small amount of packets Jianyu Li via Snort-users (Mar 18)
- Re: Snort3 Plugin DPX only get a small amount of packets Carter Waxman (cwaxman) via Snort-users (Mar 18)
- Re: Snort3 Plugin DPX only get a small amount of packets Jianyu Li via Snort-users (Mar 19)
- Re: Snort3 Plugin DPX only get a small amount of packets Jianyu Li via Snort-users (Mar 19)
- Re: Snort3 Plugin DPX only get a small amount of packets Jianyu Li via Snort-users (Mar 11)
- Re: Snort3 Plugin DPX only get a small amount of packets Jianyu Li via Snort-users (Mar 11)