Snort mailing list archives
Re: Snort3 Plugin DPX only get a small amount of packets
From: "Carter Waxman \(cwaxman\) via Snort-users" <snort-users () lists snort org>
Date: Mon, 11 Mar 2019 13:14:35 +0000
DPX is set to receive udp only by default. Update PROTO_BIT__UDP to PROTO_BIT__ANY_TYPE.
Stream performs its reassembly and sends generated PDUs (passed via Packet*) to DetectionEngine::inspect(), which runs
all of the relavent inspectors followed by rule evaluation, just as with wire packets. Inspectors looking for
stream-reassembled data will request PROTO_BIT__PDU.
-Carter
From: Snort-users <snort-users-bounces () lists snort org> on behalf of Jianyu Li via Snort-users <snort-users () lists
snort org>
Reply-To: Jianyu Li <jli31 () qub ac uk>
Date: Monday, March 11, 2019 at 4:19 AM
To: "snort-users () lists snort org" <snort-users () lists snort org>
Subject: Re: [Snort-users] Snort3 Plugin DPX only get a small amount of packets
Hey guys,
Any idea how snort passes packets to plugin inspectors?
I read that Stream inspector is responsible for TCP reassembly, so is it also passing packets to other inspectors after
reassembly of packets?
Thanks
Li
________________________________
From: Snort-users <snort-users-bounces () lists snort org> on behalf of Jianyu Li via Snort-users <snort-users () lists
snort org>
Sent: 08 March 2019 09:11
To: snort-users () lists snort org
Subject: [Snort-users] Snort3 Plugin DPX only get a small amount of packets
Hi,
I run the snort3 plugin but only got 80 packets in my plugin. The total amount of packet in summary is 2739.
The question is why I can only got 80 packets instead of all packets in the pcap file.
I am not sure what's the mechanism in Snort3 to pass packets to different components.
The eval function in my plugin is just one line:
void Dpx::eval(Packet* p)
{
++dpxstats.total_packets;
}
The output showed that there are only 80 packets passed to the dpx:
--------------------------------------------------
dpx
packets: 80
--------------------------------------------------
The command I run is:
root@ubuntudesk1:~# snort --plugin-path /usr/local/lib -c /usr/local/etc/snort/snort.lua --lua "dpx={}" -r iec61850.pcap
--------------------------------------------------
o")~ Snort++ 3.0.0-249
--------------------------------------------------
Disabling profiler because signal 27 handler is already in use.
Loading /usr/local/etc/snort/snort.lua:
ssh
pop
binder
stream_tcp
gtp_inspect
dce_http_proxy
stream_icmp
normalizer
ftp_server
stream_udp
dce_smb
dpx
ips
modbus
rpc_decode
latency
wizard
appid
file_id
ftp_data
smtp
back_orifice
port_scan
dce_http_server
dce_tcp
telnet
ssl
sip
classifications
http2_inspect
http_inspect
stream_user
stream_ip
dnp3
ftp_client
stream
references
arp_spoof
dns
dce_udp
imap
stream_file
Finished /usr/local/etc/snort/snort.lua.
--------------------------------------------------
pcap DAQ configured to read-file.
Commencing packet processing
++ [0] iec61850.pcap
-- [0] iec61850.pcap
--------------------------------------------------
Packet Statistics
--------------------------------------------------
daq
pcaps: 1
received: 2739
analyzed: 2739
allow: 2739
rx_bytes: 985615
--------------------------------------------------
codec
total: 2739 (100.000%)
arp: 46 ( 1.679%)
eth: 2739 (100.000%)
icmp6: 12 ( 0.438%)
igmp: 4 ( 0.146%)
ipv4: 2658 ( 97.043%)
ipv6: 35 ( 1.278%)
ipv6_hop_opts: 8 ( 0.292%)
tcp: 2594 ( 94.706%)
udp: 83 ( 3.030%)
--------------------------------------------------
Module Statistics
--------------------------------------------------
detection
analyzed: 2739
--------------------------------------------------
latency
total_packets: 2791
total_usecs: 14640
max_usecs: 103
--------------------------------------------------
host_tracker
service_adds: 1
--------------------------------------------------
host_cache
lru_cache_adds: 1
lru_cache_find_misses: 1
--------------------------------------------------
appid
packets: 2693
processed_packets: 2693
total_sessions: 33
appid_unknown: 13
--------------------------------------------------
arp_spoof
packets: 46
--------------------------------------------------
back_orifice
packets: 75
--------------------------------------------------
binder
packets: 25
inspects: 25
--------------------------------------------------
dpx
packets: 80
--------------------------------------------------
normalizer
test_ip4_opts: 4
test_tcp_options: 4
test_tcp_trim_win: 1
test_tcp_ts_nop: 1
--------------------------------------------------
port_scan
packets: 2693
--------------------------------------------------
ssl
packets: 48
decoded: 48
unrecognized_records: 48
max_concurrent_sessions: 1
--------------------------------------------------
stream
ip_flows: 1
ip_total_prunes: 1
ip_idle_prunes: 1
icmp_flows: 4
icmp_total_prunes: 4
icmp_idle_prunes: 4
tcp_flows: 4
udp_flows: 16
udp_total_prunes: 11
udp_idle_prunes: 11
--------------------------------------------------
stream_icmp
sessions: 4
max: 4
created: 4
released: 4
--------------------------------------------------
stream_ip
sessions: 1
max: 1
created: 1
released: 1
--------------------------------------------------
stream_tcp
sessions: 4
max: 4
created: 4
released: 4
timeouts: 2
instantiated: 2
setups: 4
restarts: 1
syn_trackers: 2
data_trackers: 2
segs_queued: 1929
segs_released: 1929
segs_used: 1929
rebuilt_packets: 52
rebuilt_bytes: 797387
client_cleanups: 3
server_cleanups: 3
syns: 2
syn_acks: 2
resets: 1
fins: 1
--------------------------------------------------
stream_udp
sessions: 16
max: 16
created: 24
released: 24
timeouts: 8
--------------------------------------------------
wizard
tcp_scans: 48
tcp_hits: 1
udp_scans: 83
--------------------------------------------------
Appid dynamic stats:
unknown_app: flows: 12, clients: 0, users: 0, payloads 0, misc: 0
--------------------------------------------------
Summary Statistics
--------------------------------------------------
timing
runtime: 00:00:00
seconds: 0.216729
packets: 2739
pkts/sec: 2739
o")~ Snort exiting
Thank you very much for any help and advices!
Best regards,
Li
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- Snort3 Plugin DPX only get a small amount of packets Jianyu Li via Snort-users (Mar 08)
- Re: Snort3 Plugin DPX only get a small amount of packets Jianyu Li via Snort-users (Mar 11)
- Re: Snort3 Plugin DPX only get a small amount of packets Russ via Snort-users (Mar 24)
- Re: Snort3 Plugin DPX only get a small amount of packets Jianyu Li via Snort-users (Mar 25)
- Re: Snort3 Plugin DPX only get a small amount of packets Russ via Snort-users (Mar 24)
- <Possible follow-ups>
- Re: Snort3 Plugin DPX only get a small amount of packets Carter Waxman (cwaxman) via Snort-users (Mar 11)
- Re: Snort3 Plugin DPX only get a small amount of packets Jianyu Li via Snort-users (Mar 11)
- Re: Snort3 Plugin DPX only get a small amount of packets Carter Waxman (cwaxman) via Snort-users (Mar 11)
- Re: Snort3 Plugin DPX only get a small amount of packets Jianyu Li via Snort-users (Mar 12)
- Re: Snort3 Plugin DPX only get a small amount of packets Jianyu Li via Snort-users (Mar 18)
- Re: Snort3 Plugin DPX only get a small amount of packets Carter Waxman (cwaxman) via Snort-users (Mar 18)
- Re: Snort3 Plugin DPX only get a small amount of packets Jianyu Li via Snort-users (Mar 19)
- Re: Snort3 Plugin DPX only get a small amount of packets Jianyu Li via Snort-users (Mar 19)
- Re: Snort3 Plugin DPX only get a small amount of packets Jianyu Li via Snort-users (Mar 11)
- Re: Snort3 Plugin DPX only get a small amount of packets Jianyu Li via Snort-users (Mar 11)