[Snort-devel] Session statistic data collection

Pietro Ravasio snort at ...1266...
Tue May 7 07:53:04 EDT 2002


I'm wrinting a snort plugin for statistical traffic analysis. For this 
reason I'm using data extracted by spp_stream4 plugin through p->ssnptr 

The problem is that I have to generate data on a time "trend basis", for 
example I've got to calculate the average value of window (so:
sum(ssn->server->win_size)/(ssn->server->num_pkts)) or the "empty 
packets rate" and so on... (Cfr. Winke Lee PhD thesis)

p->ssnptr points to the session data of the actual packet (p), but 
doesn't contain any information regarding the session trend (except 
pkts_sent and bytes_sent). I wouldn't like to let my plugin store past 
sessions data since this would waste a lot of memory and "make something 
already made by spp_stream4 plugin"; in this case I halso would have to 
check for correct handshakes and session openings/closures... All things 
already made by spp_stream4...
  At the sime time I wouldn't like to modify spp_stream4 code... (I 
would like my plugin to be spp_stream4 version independent).

What do you suggest?

Thanks and kind regards,
Pietro Ravasio
"Our real illiteracy is our inability to create"

More information about the Snort-devel mailing list