[Snort-devel] Developing a TCP/IP connections statistics plugin

Phuong Cao phuong.m.cao at ...2499...
Mon Oct 27 20:17:01 EDT 2014


Hi there,

I am having some questions when building a TCP/IP connection
statistics plugin for Snort.

My TCP/IP connection statistics plugin collects statistics such as
number of exchanged packets, packet sending rates, inter packet
arrival time, and so on for a TCP/IP connection (which is a tuple of
src_ip:src_port and dst_ip:dst_port). I see that Snort already has a
performance counter for IP (function UpdateFlowIPStats() in the file
perf-flow.c). I am thinking of patching this file (that is updating
the sfBTStats structure to support my statistics). Although patching
might work, I think a dynamic plugin is a better approach.

Is the proposed approach a right direction to go? I appreciate any suggestions.

Thanks
- Phuong




More information about the Snort-devel mailing list