[Snort-devel] Developing a TCP/IP connections statistics plugin

Phuong Cao phuong.m.cao at ...2499...
Tue Oct 28 14:51:12 EDT 2014


Hi Carter,

I plan to define my statistics to _SessionControlBlock
(session_common.h) and update the statistics whenever I see a new TCP
packet in ProcessTCPStream function (snort_stream_tcp.c). This would
result in a patch definitely.

What would you suggest to add the statistics as a dynamic plugin?

Your pointers are very helpful. Thanks.
- PC


On Tue, Oct 28, 2014 at 9:53 AM, Carter Waxman (cwaxman)
<cwaxman at ...3461...> wrote:
> Hi Phuong,
>
> We actually collect statistics on TCP as well. This is all functionality
> handled by the perfmon preprocessor, and you may want to look into going
> that route. Have a look at perf-base.{c,h}, as this is where we store and
> manipulate such things. Also, look into the way we track streams in
> snort_stream_tcp.c. You will find some of the connection accounting you
> are looking for handled by this component.
>
> Let us know if there is any thing else!
>
> ‹ Carter
>
> On 10/27/14, 8:17 PM, "Phuong Cao" <phuong.m.cao at ...2499...> wrote:
>
>>Hi there,
>>
>>I am having some questions when building a TCP/IP connection
>>statistics plugin for Snort.
>>
>>My TCP/IP connection statistics plugin collects statistics such as
>>number of exchanged packets, packet sending rates, inter packet
>>arrival time, and so on for a TCP/IP connection (which is a tuple of
>>src_ip:src_port and dst_ip:dst_port). I see that Snort already has a
>>performance counter for IP (function UpdateFlowIPStats() in the file
>>perf-flow.c). I am thinking of patching this file (that is updating
>>the sfBTStats structure to support my statistics). Although patching
>>might work, I think a dynamic plugin is a better approach.
>>
>>Is the proposed approach a right direction to go? I appreciate any
>>suggestions.
>>
>>Thanks
>>- Phuong
>>
>>--------------------------------------------------------------------------
>>----
>>_______________________________________________
>>Snort-devel mailing list
>>Snort-devel at lists.sourceforge.net
>>https://lists.sourceforge.net/lists/listinfo/snort-devel
>>Archive:
>>http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>>
>>Please visit http://blog.snort.org for the latest news about Snort!
>




More information about the Snort-devel mailing list