Snort mailing list archives
Re: Snort3 Plugin DPX only get a small amount of packets
From: Jianyu Li via Snort-users <snort-users () lists snort org>
Date: Tue, 19 Mar 2019 13:22:44 +0000
Hi Carter,
Thank you very much for the reply! Yes I am trying to write a plugin for protocol at application layer.
There is a problem when I tried to bind the dpx in config file.
I copied modbus_paf.cc and modbus_paf.h (which contains StreamSplitter for modbus) from snort3 source code to dpx
folder, and used IT_SERVICE and PROTO_BIT__PDU in dpx.cc, then I added binding for dpx in snort config file: snort.lua:
{ when = { proto = 'tcp', ports = '502' }, use = { type = 'dpx' } },
{ when = { service = 'dpx' }, use = { type = 'dpx '} },
and it didn't work when I run the snort:
ERROR: can't bind dpx
ERROR: can't bind dpx
Do you have any idea why this would happen? Or do you know where I can find the details of the binding error?
Thanks in advacne!
Best regards,
Li
________________________________
From: Carter Waxman (cwaxman) <cwaxman () cisco com>
Sent: 18 March 2019 13:16:05
To: Jianyu Li; snort-users () lists snort org
Subject: Re: [Snort-users] Snort3 Plugin DPX only get a small amount of packets
Stream Splitter scans / triggers the PDU reassembly, which causes stream to send the PDU down to eval. If you’re
writing for a protocol / app that sits atop the transport layer, adding the StreamSplitter and requesting
PROTO_BIT__PDU is the way to go.
* Carter
From: Jianyu Li <jli31 () qub ac uk>
Date: Monday, March 18, 2019 at 6:10 AM
To: "Carter Waxman (cwaxman)" <cwaxman () cisco com>, "snort-users () lists snort org" <snort-users () lists snort org>
Subject: Re: [Snort-users] Snort3 Plugin DPX only get a small amount of packets
Hi Carter,
Sorry to bother again, can I ask where should Stream Splitter be placed in the path of processing you mentioned.
For example if I have a Stream Splitter for Dpx, will it be called before Dpx::eval and then it sends the complete PDU
to Dpx::eval?
Thanks,
Li
________________________________
From: Carter Waxman (cwaxman) <cwaxman () cisco com>
Sent: 11 March 2019 17:50:22
To: Jianyu Li; snort-users () lists snort org
Subject: Re: [Snort-users] Snort3 Plugin DPX only get a small amount of packets
The path for processing is roughly {packet loop or stream reassembly delivers packet} -> Snort::inspect() ->
DetectionEngine::inspect() -> InspectorManager::execute() -> { eval(p) on all relevant inspectors. This includes
Dpx::eval }.
IT_PROBE will send all wire packets from the main hook should through that path but not reassembled packets.
InspectorManager::execute() is where the decision is made whether to call a particular inspector or not.
See src/network_inspectors/packet_capture/packet_capture.cc for an example of where we use this.
See src/framework/inspector.h for the finer points on those definitions.
From: Snort-users <snort-users-bounces () lists snort org> on behalf of Jianyu Li via Snort-users <snort-users () lists
snort org>
Reply-To: Jianyu Li <jli31 () qub ac uk>
Date: Monday, March 11, 2019 at 10:11 AM
To: "snort-users () lists snort org" <snort-users () lists snort org>
Subject: Re: [Snort-users] Snort3 Plugin DPX only get a small amount of packets
Hi Carter,
Thank you very much for the reply!
I already updated to PROTO_BIT__TCP before, and after changing it to PROTO_BIT__ANY_TYPE, I only got 229 packets while
the summary shows that there are 2739 packets in total.
You mentioned about DetectionEngine::inspect(), is this the function who calls DPX to run eval()?
I wanted to know which snort component will call the DPX when packet arrives.
Is there a way for DPX to get all packets?
I would be greatful if you could help me clear my mind. Thanks in advance!
Best regards,
Li
________________________________
From: Carter Waxman (cwaxman) <cwaxman () cisco com>
Sent: 11 March 2019 13:14:35
To: Jianyu Li; snort-users () lists snort org
Subject: Re: [Snort-users] Snort3 Plugin DPX only get a small amount of packets
DPX is set to receive udp only by default. Update PROTO_BIT__UDP to PROTO_BIT__ANY_TYPE.
Stream performs its reassembly and sends generated PDUs (passed via Packet*) to DetectionEngine::inspect(), which runs
all of the relavent inspectors followed by rule evaluation, just as with wire packets. Inspectors looking for
stream-reassembled data will request PROTO_BIT__PDU.
-Carter
From: Snort-users <snort-users-bounces () lists snort org> on behalf of Jianyu Li via Snort-users <snort-users () lists
snort org>
Reply-To: Jianyu Li <jli31 () qub ac uk>
Date: Monday, March 11, 2019 at 4:19 AM
To: "snort-users () lists snort org" <snort-users () lists snort org>
Subject: Re: [Snort-users] Snort3 Plugin DPX only get a small amount of packets
Hey guys,
Any idea how snort passes packets to plugin inspectors?
I read that Stream inspector is responsible for TCP reassembly, so is it also passing packets to other inspectors after
reassembly of packets?
Thanks
Li
________________________________
From: Snort-users <snort-users-bounces () lists snort org> on behalf of Jianyu Li via Snort-users <snort-users () lists
snort org>
Sent: 08 March 2019 09:11
To: snort-users () lists snort org
Subject: [Snort-users] Snort3 Plugin DPX only get a small amount of packets
Hi,
I run the snort3 plugin but only got 80 packets in my plugin. The total amount of packet in summary is 2739.
The question is why I can only got 80 packets instead of all packets in the pcap file.
I am not sure what's the mechanism in Snort3 to pass packets to different components.
The eval function in my plugin is just one line:
void Dpx::eval(Packet* p)
{
++dpxstats.total_packets;
}
The output showed that there are only 80 packets passed to the dpx:
--------------------------------------------------
dpx
packets: 80
--------------------------------------------------
The command I run is:
root@ubuntudesk1:~# snort --plugin-path /usr/local/lib -c /usr/local/etc/snort/snort.lua --lua "dpx={}" -r iec61850.pcap
--------------------------------------------------
o")~ Snort++ 3.0.0-249
--------------------------------------------------
Disabling profiler because signal 27 handler is already in use.
Loading /usr/local/etc/snort/snort.lua:
ssh
pop
binder
stream_tcp
gtp_inspect
dce_http_proxy
stream_icmp
normalizer
ftp_server
stream_udp
dce_smb
dpx
ips
modbus
rpc_decode
latency
wizard
appid
file_id
ftp_data
smtp
back_orifice
port_scan
dce_http_server
dce_tcp
telnet
ssl
sip
classifications
http2_inspect
http_inspect
stream_user
stream_ip
dnp3
ftp_client
stream
references
arp_spoof
dns
dce_udp
imap
stream_file
Finished /usr/local/etc/snort/snort.lua.
--------------------------------------------------
pcap DAQ configured to read-file.
Commencing packet processing
++ [0] iec61850.pcap
-- [0] iec61850.pcap
--------------------------------------------------
Packet Statistics
--------------------------------------------------
daq
pcaps: 1
received: 2739
analyzed: 2739
allow: 2739
rx_bytes: 985615
--------------------------------------------------
codec
total: 2739 (100.000%)
arp: 46 ( 1.679%)
eth: 2739 (100.000%)
icmp6: 12 ( 0.438%)
igmp: 4 ( 0.146%)
ipv4: 2658 ( 97.043%)
ipv6: 35 ( 1.278%)
ipv6_hop_opts: 8 ( 0.292%)
tcp: 2594 ( 94.706%)
udp: 83 ( 3.030%)
--------------------------------------------------
Module Statistics
--------------------------------------------------
detection
analyzed: 2739
--------------------------------------------------
latency
total_packets: 2791
total_usecs: 14640
max_usecs: 103
--------------------------------------------------
host_tracker
service_adds: 1
--------------------------------------------------
host_cache
lru_cache_adds: 1
lru_cache_find_misses: 1
--------------------------------------------------
appid
packets: 2693
processed_packets: 2693
total_sessions: 33
appid_unknown: 13
--------------------------------------------------
arp_spoof
packets: 46
--------------------------------------------------
back_orifice
packets: 75
--------------------------------------------------
binder
packets: 25
inspects: 25
--------------------------------------------------
dpx
packets: 80
--------------------------------------------------
normalizer
test_ip4_opts: 4
test_tcp_options: 4
test_tcp_trim_win: 1
test_tcp_ts_nop: 1
--------------------------------------------------
port_scan
packets: 2693
--------------------------------------------------
ssl
packets: 48
decoded: 48
unrecognized_records: 48
max_concurrent_sessions: 1
--------------------------------------------------
stream
ip_flows: 1
ip_total_prunes: 1
ip_idle_prunes: 1
icmp_flows: 4
icmp_total_prunes: 4
icmp_idle_prunes: 4
tcp_flows: 4
udp_flows: 16
udp_total_prunes: 11
udp_idle_prunes: 11
--------------------------------------------------
stream_icmp
sessions: 4
max: 4
created: 4
released: 4
--------------------------------------------------
stream_ip
sessions: 1
max: 1
created: 1
released: 1
--------------------------------------------------
stream_tcp
sessions: 4
max: 4
created: 4
released: 4
timeouts: 2
instantiated: 2
setups: 4
restarts: 1
syn_trackers: 2
data_trackers: 2
segs_queued: 1929
segs_released: 1929
segs_used: 1929
rebuilt_packets: 52
rebuilt_bytes: 797387
client_cleanups: 3
server_cleanups: 3
syns: 2
syn_acks: 2
resets: 1
fins: 1
--------------------------------------------------
stream_udp
sessions: 16
max: 16
created: 24
released: 24
timeouts: 8
--------------------------------------------------
wizard
tcp_scans: 48
tcp_hits: 1
udp_scans: 83
--------------------------------------------------
Appid dynamic stats:
unknown_app: flows: 12, clients: 0, users: 0, payloads 0, misc: 0
--------------------------------------------------
Summary Statistics
--------------------------------------------------
timing
runtime: 00:00:00
seconds: 0.216729
packets: 2739
pkts/sec: 2739
o")~ Snort exiting
Thank you very much for any help and advices!
Best regards,
Li
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- Snort3 Plugin DPX only get a small amount of packets Jianyu Li via Snort-users (Mar 08)
- Re: Snort3 Plugin DPX only get a small amount of packets Jianyu Li via Snort-users (Mar 11)
- Re: Snort3 Plugin DPX only get a small amount of packets Russ via Snort-users (Mar 24)
- Re: Snort3 Plugin DPX only get a small amount of packets Jianyu Li via Snort-users (Mar 25)
- Re: Snort3 Plugin DPX only get a small amount of packets Russ via Snort-users (Mar 24)
- <Possible follow-ups>
- Re: Snort3 Plugin DPX only get a small amount of packets Carter Waxman (cwaxman) via Snort-users (Mar 11)
- Re: Snort3 Plugin DPX only get a small amount of packets Jianyu Li via Snort-users (Mar 11)
- Re: Snort3 Plugin DPX only get a small amount of packets Carter Waxman (cwaxman) via Snort-users (Mar 11)
- Re: Snort3 Plugin DPX only get a small amount of packets Jianyu Li via Snort-users (Mar 12)
- Re: Snort3 Plugin DPX only get a small amount of packets Jianyu Li via Snort-users (Mar 18)
- Re: Snort3 Plugin DPX only get a small amount of packets Carter Waxman (cwaxman) via Snort-users (Mar 18)
- Re: Snort3 Plugin DPX only get a small amount of packets Jianyu Li via Snort-users (Mar 19)
- Re: Snort3 Plugin DPX only get a small amount of packets Jianyu Li via Snort-users (Mar 19)
- Re: Snort3 Plugin DPX only get a small amount of packets Jianyu Li via Snort-users (Mar 11)
- Re: Snort3 Plugin DPX only get a small amount of packets Jianyu Li via Snort-users (Mar 11)