Re: Adding artificial delay to packets in snort

[Chamara Devanarayana via Snort-devel <snort-devel () lists snort org>]

Hi Russ,
Thanks a lot. How hard is it to port Snort2.9 code to Snort3? I need to switch to Snort 3. Then I can contribute my 
code as well. Something funny is happening when I use linux tc-netem with snort2.9. I think it start to loop. I tested 
tc-netem while having a bridge between the two NICs. It worked fine. Does snort inline work with tap devices?
Thanks,
Best regards,
Chamara

From: Russ Combs (rucombs) <rucombs () cisco com>
Sent: March 5, 2020 3:17 PM
To: Chamara Devanarayana <Chamara () rtds com>; Joel Esler (jesler) <jesler () cisco com>
Cc: snort-devel () lists snort org
Subject: Re: [Snort-devel] Adding artificial delay to packets in snort

Chamara,

If you use Snort 3 with an appropriate DAQ module, you should be able to detain packets and forward them later.  You 
can also drop packets vs block flows.

Russ

From: Snort-devel <snort-devel-bounces () lists snort org<mailto:snort-devel-bounces () lists snort org>> on behalf of 
Chamara Devanarayana via Snort-devel <snort-devel () lists snort org<mailto:snort-devel () lists snort org>>
Reply-To: Chamara Devanarayana <Chamara () rtds com<mailto:Chamara () rtds com>>
Date: Thursday, March 5, 2020 at 3:01 PM
To: "Joel Esler (jesler)" <jesler () cisco com<mailto:jesler () cisco com>>
Cc: "snort-devel () lists snort org<mailto:snort-devel () lists snort org>" <snort-devel () lists snort 
org<mailto:snort-devel () lists snort org>>
Subject: Re: [Snort-devel] Adding artificial delay to packets in snort

Hi Joel,
We are trying to build a test bed to simulate Cyber attacks on Power systems. The company I work for make Power system 
simulators. There are only a handful of companies around the world that does it. I have been able to use snort to 
manipulate data on protocols like DNP3, MODBUS, GOOSE,SV etc. Now I need to see the response of the controllers and 
Intelligent electronic devices (and the power system as the end result) to the delays, packet drops packet reordering 
etc. I am trying to use snort to achieve it since I already use it to manipulate data. This packet manipulation can 
also be used to nullify attacks when detected.
Thanks,
Best regards,
Chamara

From: Joel Esler (jesler) <jesler () cisco com<mailto:jesler () cisco com>>
Sent: March 5, 2020 1:23 PM
To: Chamara Devanarayana <Chamara () rtds com<mailto:Chamara () rtds com>>
Cc: snort-devel () lists snort org<mailto:snort-devel () lists snort org>
Subject: Re: [Snort-devel] Adding artificial delay to packets in snort

What is the problem that you are trying to solve for?


On Mar 5, 2020, at 2:02 PM, Chamara Devanarayana via Snort-devel <snort-devel () lists snort org<mailto:snort-devel () 
lists snort org>> wrote:

Dear all,
Is there a way in snort to add an artificial delay to the packets? I tried using usleep() and nanosleep(). However, 
they did not work snort just ignores those. My second approach was to drop tcp packets and again schedule them using 
the alarm() function how ever snort does not drop individual tcp packets I can only drop the entire session. Then I 
tried to use the traffic control utility in linux together with snort inline. It does some strange things like 
duplicating packets. Any help in this regard is highly appreciated.
Thanks,
Best regards,

Chamara Devanarayana
Simulation Specialist
RTDS Technologies Inc.

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org<mailto:Snort-devel () lists snort org>
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org<http://blog.snort.org/> for the latest news about Snort!

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!