[Snort-users] Snort3 Plugin DPX only get a small amount of packets

Jianyu Li jli31 at qub.ac.uk
Mon Mar 11 04:13:55 EDT 2019


Hey guys,


Any idea how snort passes packets to plugin inspectors?

I read that Stream inspector is responsible for TCP reassembly, so is it also passing packets to other inspectors after reassembly of packets?


Thanks

Li



________________________________
From: Snort-users <snort-users-bounces at lists.snort.org> on behalf of Jianyu Li via Snort-users <snort-users at lists.snort.org>
Sent: 08 March 2019 09:11
To: snort-users at lists.snort.org
Subject: [Snort-users] Snort3 Plugin DPX only get a small amount of packets


Hi,


I run the snort3 plugin but only got 80 packets in my plugin. The total amount of packet in summary is 2739.

The question is why I can only got 80 packets instead of all packets in the pcap file.

I am not sure what's the mechanism in Snort3 to pass packets to different components.


The eval function in my plugin is just one line:

void Dpx::eval(Packet* p)
{
    ++dpxstats.total_packets;
}


The output showed that there are only 80 packets passed to the dpx:


--------------------------------------------------
dpx
                  packets: 80
--------------------------------------------------


The command I run is:


root at ubuntudesk1:~# snort --plugin-path /usr/local/lib -c /usr/local/etc/snort/snort.lua --lua "dpx={}" -r iec61850.pcap
--------------------------------------------------
o")~   Snort++ 3.0.0-249
--------------------------------------------------
Disabling profiler because signal 27 handler is already in use.
Loading /usr/local/etc/snort/snort.lua:
        ssh
        pop
        binder
        stream_tcp
        gtp_inspect
        dce_http_proxy
        stream_icmp
        normalizer
        ftp_server
        stream_udp
        dce_smb
        dpx
        ips
        modbus
        rpc_decode
        latency
        wizard
        appid
        file_id
        ftp_data
        smtp
        back_orifice
        port_scan
        dce_http_server
        dce_tcp
        telnet
        ssl
        sip
        classifications
        http2_inspect
        http_inspect
        stream_user
        stream_ip
        dnp3
        ftp_client
        stream
        references
        arp_spoof
        dns
        dce_udp
        imap
        stream_file
Finished /usr/local/etc/snort/snort.lua.
--------------------------------------------------
pcap DAQ configured to read-file.
Commencing packet processing
++ [0] iec61850.pcap
-- [0] iec61850.pcap
--------------------------------------------------
Packet Statistics
--------------------------------------------------
daq
                    pcaps: 1
                 received: 2739
                 analyzed: 2739
                    allow: 2739
                 rx_bytes: 985615
--------------------------------------------------
codec
                    total: 2739         (100.000%)
                      arp: 46           (  1.679%)
                      eth: 2739         (100.000%)
                    icmp6: 12           (  0.438%)
                     igmp: 4            (  0.146%)
                     ipv4: 2658         ( 97.043%)
                     ipv6: 35           (  1.278%)
            ipv6_hop_opts: 8            (  0.292%)
                      tcp: 2594         ( 94.706%)
                      udp: 83           (  3.030%)
--------------------------------------------------
Module Statistics
--------------------------------------------------
detection
                 analyzed: 2739
--------------------------------------------------
latency
            total_packets: 2791
              total_usecs: 14640
                max_usecs: 103
--------------------------------------------------
host_tracker
             service_adds: 1
--------------------------------------------------
host_cache
           lru_cache_adds: 1
    lru_cache_find_misses: 1
--------------------------------------------------
appid
                  packets: 2693
        processed_packets: 2693
           total_sessions: 33
            appid_unknown: 13
--------------------------------------------------
arp_spoof
                  packets: 46
--------------------------------------------------
back_orifice
                  packets: 75
--------------------------------------------------
binder
                  packets: 25
                 inspects: 25
--------------------------------------------------
dpx
                  packets: 80
--------------------------------------------------
normalizer
            test_ip4_opts: 4
         test_tcp_options: 4
        test_tcp_trim_win: 1
          test_tcp_ts_nop: 1
--------------------------------------------------
port_scan
                  packets: 2693
--------------------------------------------------
ssl
                  packets: 48
                  decoded: 48
     unrecognized_records: 48
  max_concurrent_sessions: 1
--------------------------------------------------
stream
                 ip_flows: 1
          ip_total_prunes: 1
           ip_idle_prunes: 1
               icmp_flows: 4
        icmp_total_prunes: 4
         icmp_idle_prunes: 4
                tcp_flows: 4
                udp_flows: 16
         udp_total_prunes: 11
          udp_idle_prunes: 11
--------------------------------------------------
stream_icmp
                 sessions: 4
                      max: 4
                  created: 4
                 released: 4
--------------------------------------------------
stream_ip
                 sessions: 1
                      max: 1
                  created: 1
                 released: 1
--------------------------------------------------
stream_tcp
                 sessions: 4
                      max: 4
                  created: 4
                 released: 4
                 timeouts: 2
             instantiated: 2
                   setups: 4
                 restarts: 1
             syn_trackers: 2
            data_trackers: 2
              segs_queued: 1929
            segs_released: 1929
                segs_used: 1929
          rebuilt_packets: 52
            rebuilt_bytes: 797387
          client_cleanups: 3
          server_cleanups: 3
                     syns: 2
                 syn_acks: 2
                   resets: 1
                     fins: 1
--------------------------------------------------
stream_udp
                 sessions: 16
                      max: 16
                  created: 24
                 released: 24
                 timeouts: 8
--------------------------------------------------
wizard
                tcp_scans: 48
                 tcp_hits: 1
                udp_scans: 83
--------------------------------------------------
Appid dynamic stats:
unknown_app: flows: 12, clients: 0, users: 0, payloads 0, misc: 0
--------------------------------------------------
Summary Statistics
--------------------------------------------------
timing
                  runtime: 00:00:00
                  seconds: 0.216729
                  packets: 2739
                 pkts/sec: 2739
o")~   Snort exiting



Thank you very much for any help and advices!


Best regards,

Li
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20190311/ca3f7633/attachment.html>


More information about the Snort-users mailing list