[Snort-devel] Developing a TCP/IP connections statistics plugin

Carter Waxman (cwaxman) cwaxman at ...3461...
Tue Oct 28 12:53:40 EDT 2014


Hi Phuong,

We actually collect statistics on TCP as well. This is all functionality
handled by the perfmon preprocessor, and you may want to look into going
that route. Have a look at perf-base.{c,h}, as this is where we store and
manipulate such things. Also, look into the way we track streams in
snort_stream_tcp.c. You will find some of the connection accounting you
are looking for handled by this component.

Let us know if there is any thing else!

‹ Carter

On 10/27/14, 8:17 PM, "Phuong Cao" <phuong.m.cao at ...2499...> wrote:

>Hi there,
>
>I am having some questions when building a TCP/IP connection
>statistics plugin for Snort.
>
>My TCP/IP connection statistics plugin collects statistics such as
>number of exchanged packets, packet sending rates, inter packet
>arrival time, and so on for a TCP/IP connection (which is a tuple of
>src_ip:src_port and dst_ip:dst_port). I see that Snort already has a
>performance counter for IP (function UpdateFlowIPStats() in the file
>perf-flow.c). I am thinking of patching this file (that is updating
>the sfBTStats structure to support my statistics). Although patching
>might work, I think a dynamic plugin is a better approach.
>
>Is the proposed approach a right direction to go? I appreciate any
>suggestions.
>
>Thanks
>- Phuong
>
>--------------------------------------------------------------------------
>----
>_______________________________________________
>Snort-devel mailing list
>Snort-devel at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/snort-devel
>Archive:
>http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
>Please visit http://blog.snort.org for the latest news about Snort!





More information about the Snort-devel mailing list