Snort mailing list archives
Re: Developing a TCP/IP connections statistics plugin
From: "Carter Waxman (cwaxman)" <cwaxman () cisco com>
Date: Tue, 28 Oct 2014 16:53:40 +0000
Hi Phuong,
We actually collect statistics on TCP as well. This is all functionality
handled by the perfmon preprocessor, and you may want to look into going
that route. Have a look at perf-base.{c,h}, as this is where we store and
manipulate such things. Also, look into the way we track streams in
snort_stream_tcp.c. You will find some of the connection accounting you
are looking for handled by this component.
Let us know if there is any thing else!
‹ Carter
On 10/27/14, 8:17 PM, "Phuong Cao" <phuong.m.cao () gmail com> wrote:
Hi there, I am having some questions when building a TCP/IP connection statistics plugin for Snort. My TCP/IP connection statistics plugin collects statistics such as number of exchanged packets, packet sending rates, inter packet arrival time, and so on for a TCP/IP connection (which is a tuple of src_ip:src_port and dst_ip:dst_port). I see that Snort already has a performance counter for IP (function UpdateFlowIPStats() in the file perf-flow.c). I am thinking of patching this file (that is updating the sfBTStats structure to support my statistics). Although patching might work, I think a dynamic plugin is a better approach. Is the proposed approach a right direction to go? I appreciate any suggestions. Thanks - Phuong -------------------------------------------------------------------------- ---- _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Developing a TCP/IP connections statistics plugin Phuong Cao (Oct 27)
- Re: Developing a TCP/IP connections statistics plugin Carter Waxman (cwaxman) (Oct 28)
- Re: Developing a TCP/IP connections statistics plugin Phuong Cao (Oct 28)
- Re: Developing a TCP/IP connections statistics plugin Carter Waxman (cwaxman) (Oct 28)