[Snort-users] Snort3 Plugin DPX only get a small amount of packets

Jianyu Li jli31 at qub.ac.uk
Mon Mar 11 09:59:06 EDT 2019


Hi Carter,


Thank you very much for the reply!

I already updated to PROTO_BIT__TCP before, and after changing it to PROTO_BIT__ANY_TYPE, I only got 229 packets while the summary shows that there are 2739 packets in total.

You mentioned about DetectionEngine::inspect(), is this the function who calls DPX to run eval()?

I wanted to know which snort component will call the DPX when packet arrives.

Is there a way for DPX to get all packets?


I would be greatful if you could help me clear my mind.  Thanks in advance!


Best regards,

Li

________________________________
From: Carter Waxman (cwaxman) <cwaxman at cisco.com>
Sent: 11 March 2019 13:14:35
To: Jianyu Li; snort-users at lists.snort.org
Subject: Re: [Snort-users] Snort3 Plugin DPX only get a small amount of packets


DPX is set to receive udp only by default. Update PROTO_BIT__UDP to PROTO_BIT__ANY_TYPE.



Stream performs its reassembly and sends generated PDUs (passed via Packet*) to DetectionEngine::inspect(), which runs all of the relavent inspectors followed by rule evaluation, just as with wire packets. Inspectors looking for stream-reassembled data will request PROTO_BIT__PDU.



-Carter



From: Snort-users <snort-users-bounces at lists.snort.org> on behalf of Jianyu Li via Snort-users <snort-users at lists.snort.org>
Reply-To: Jianyu Li <jli31 at qub.ac.uk>
Date: Monday, March 11, 2019 at 4:19 AM
To: "snort-users at lists.snort.org" <snort-users at lists.snort.org>
Subject: Re: [Snort-users] Snort3 Plugin DPX only get a small amount of packets



Hey guys,



Any idea how snort passes packets to plugin inspectors?

I read that Stream inspector is responsible for TCP reassembly, so is it also passing packets to other inspectors after reassembly of packets?



Thanks

Li





________________________________

From: Snort-users <snort-users-bounces at lists.snort.org> on behalf of Jianyu Li via Snort-users <snort-users at lists.snort.org>
Sent: 08 March 2019 09:11
To: snort-users at lists.snort.org
Subject: [Snort-users] Snort3 Plugin DPX only get a small amount of packets



Hi,



I run the snort3 plugin but only got 80 packets in my plugin. The total amount of packet in summary is 2739.

The question is why I can only got 80 packets instead of all packets in the pcap file.

I am not sure what's the mechanism in Snort3 to pass packets to different components.



The eval function in my plugin is just one line:



void Dpx::eval(Packet* p)

{

    ++dpxstats.total_packets;

}



The output showed that there are only 80 packets passed to the dpx:



--------------------------------------------------

dpx

                  packets: 80

--------------------------------------------------



The command I run is:



root at ubuntudesk1:~# snort --plugin-path /usr/local/lib -c /usr/local/etc/snort/snort.lua --lua "dpx={}" -r iec61850.pcap

--------------------------------------------------

o")~   Snort++ 3.0.0-249

--------------------------------------------------

Disabling profiler because signal 27 handler is already in use.

Loading /usr/local/etc/snort/snort.lua:

        ssh

        pop

        binder

        stream_tcp

        gtp_inspect

        dce_http_proxy

        stream_icmp

        normalizer

        ftp_server

        stream_udp

        dce_smb

        dpx

        ips

        modbus

        rpc_decode

        latency

        wizard

        appid

        file_id

        ftp_data

        smtp

        back_orifice

        port_scan

        dce_http_server

        dce_tcp

        telnet

        ssl

        sip

        classifications

        http2_inspect

        http_inspect

        stream_user

        stream_ip

        dnp3

        ftp_client

        stream

        references

        arp_spoof

        dns

        dce_udp

        imap

        stream_file

Finished /usr/local/etc/snort/snort.lua.

--------------------------------------------------

pcap DAQ configured to read-file.

Commencing packet processing

++ [0] iec61850.pcap

-- [0] iec61850.pcap

--------------------------------------------------

Packet Statistics

--------------------------------------------------

daq

                    pcaps: 1

                 received: 2739

                 analyzed: 2739

                    allow: 2739

                 rx_bytes: 985615

--------------------------------------------------

codec

                    total: 2739         (100.000%)

                      arp: 46           (  1.679%)

                      eth: 2739         (100.000%)

                    icmp6: 12           (  0.438%)

                     igmp: 4            (  0.146%)

                     ipv4: 2658         ( 97.043%)

                     ipv6: 35           (  1.278%)

            ipv6_hop_opts: 8            (  0.292%)

                      tcp: 2594         ( 94.706%)

                      udp: 83           (  3.030%)

--------------------------------------------------

Module Statistics

--------------------------------------------------

detection

                 analyzed: 2739

--------------------------------------------------

latency

            total_packets: 2791

              total_usecs: 14640

                max_usecs: 103

--------------------------------------------------

host_tracker

             service_adds: 1

--------------------------------------------------

host_cache

           lru_cache_adds: 1

    lru_cache_find_misses: 1

--------------------------------------------------

appid

                  packets: 2693

        processed_packets: 2693

           total_sessions: 33

            appid_unknown: 13

--------------------------------------------------

arp_spoof

                  packets: 46

--------------------------------------------------

back_orifice

                  packets: 75

--------------------------------------------------

binder

                  packets: 25

                 inspects: 25

--------------------------------------------------

dpx

                  packets: 80

--------------------------------------------------

normalizer

            test_ip4_opts: 4

         test_tcp_options: 4

        test_tcp_trim_win: 1

          test_tcp_ts_nop: 1

--------------------------------------------------

port_scan

                  packets: 2693

--------------------------------------------------

ssl

                  packets: 48

                  decoded: 48

     unrecognized_records: 48

  max_concurrent_sessions: 1

--------------------------------------------------

stream

                 ip_flows: 1

          ip_total_prunes: 1

           ip_idle_prunes: 1

               icmp_flows: 4

        icmp_total_prunes: 4

         icmp_idle_prunes: 4

                tcp_flows: 4

                udp_flows: 16

         udp_total_prunes: 11

          udp_idle_prunes: 11

--------------------------------------------------

stream_icmp

                 sessions: 4

                      max: 4

                  created: 4

                 released: 4

--------------------------------------------------

stream_ip

                 sessions: 1

                      max: 1

                  created: 1

                 released: 1

--------------------------------------------------

stream_tcp

                 sessions: 4

                      max: 4

                  created: 4

                 released: 4

                 timeouts: 2

             instantiated: 2

                   setups: 4

                 restarts: 1

             syn_trackers: 2

            data_trackers: 2

              segs_queued: 1929

            segs_released: 1929

                segs_used: 1929

          rebuilt_packets: 52

            rebuilt_bytes: 797387

          client_cleanups: 3

          server_cleanups: 3

                     syns: 2

                 syn_acks: 2

                   resets: 1

                     fins: 1

--------------------------------------------------

stream_udp

                 sessions: 16

                      max: 16

                  created: 24

                 released: 24

                 timeouts: 8

--------------------------------------------------

wizard

                tcp_scans: 48

                 tcp_hits: 1

                udp_scans: 83

--------------------------------------------------

Appid dynamic stats:

unknown_app: flows: 12, clients: 0, users: 0, payloads 0, misc: 0

--------------------------------------------------

Summary Statistics

--------------------------------------------------

timing

                  runtime: 00:00:00

                  seconds: 0.216729

                  packets: 2739

                 pkts/sec: 2739

o")~   Snort exiting





Thank you very much for any help and advices!



Best regards,

Li
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20190311/d79ed151/attachment.html>


More information about the Snort-users mailing list