[Snort-users] Snort3 Plugin DPX only get a small amount of packets

Russ rucombs at cisco.com
Sun Mar 24 16:11:25 EDT 2019


Hey Li,

Did you figure this out?  In general, and indirectly, stream_tcp will 
pass rebuilt packets (PDUs) to the service inspector but that depends on 
the StreamSplitter.  The best way to figure out what's going on is to 
break in your eval function and examine the call stack.

Hope that helps.
Russ

On 3/11/19 4:13 AM, Jianyu Li via Snort-users wrote:
>
> Hey guys,
>
>
> Any idea how snort passes packets to plugin inspectors?
>
> I read that Stream inspector is responsible for TCP reassembly, so is 
> it also passing packets to other inspectors after reassembly of packets?
>
>
> Thanks
>
> Li
>
>
>
>
> ------------------------------------------------------------------------
> *From:* Snort-users <snort-users-bounces at lists.snort.org> on behalf of 
> Jianyu Li via Snort-users <snort-users at lists.snort.org>
> *Sent:* 08 March 2019 09:11
> *To:* snort-users at lists.snort.org
> *Subject:* [Snort-users] Snort3 Plugin DPX only get a small amount of 
> packets
>
> Hi,
>
>
> I run the snort3 plugin but only got 80 packets in my plugin. The 
> total amount of packet in summary is 2739.
>
> The question is why I can only got 80 packets instead of all packets 
> in the pcap file.
>
> I am not sure what's the mechanism in Snort3 to pass packets to 
> different components.
>
>
> The eval function in my plugin is just one line:
>
> /
> /
> /void Dpx::eval(Packet* p)/
> /{/
> /    ++dpxstats.total_packets;/
> /}/
>
> The output showed that there are only 80 packets passed to the dpx:
>
>
> --------------------------------------------------
> dpx
>                   packets: 80
> --------------------------------------------------
>
> The command I run is:
>
>
> /root at ubuntudesk1:~# snort --plugin-path /usr/local/lib -c 
> /usr/local/etc/snort/snort.lua --lua "dpx={}" -r iec61850.pcap/
> --------------------------------------------------
> o")~   Snort++ 3.0.0-249
> --------------------------------------------------
> Disabling profiler because signal 27 handler is already in use.
> Loading /usr/local/etc/snort/snort.lua:
>         ssh
>         pop
>         binder
>         stream_tcp
>         gtp_inspect
>         dce_http_proxy
>         stream_icmp
>         normalizer
>         ftp_server
>         stream_udp
>         dce_smb
>         dpx
>         ips
>         modbus
>         rpc_decode
>         latency
>         wizard
>         appid
>         file_id
>         ftp_data
>         smtp
>         back_orifice
>         port_scan
>         dce_http_server
>         dce_tcp
>         telnet
>         ssl
>         sip
>         classifications
>         http2_inspect
>         http_inspect
>         stream_user
>         stream_ip
>         dnp3
>         ftp_client
>         stream
>         references
>         arp_spoof
>         dns
>         dce_udp
>         imap
>         stream_file
> Finished /usr/local/etc/snort/snort.lua.
> --------------------------------------------------
> pcap DAQ configured to read-file.
> Commencing packet processing
> ++ [0] iec61850.pcap
> -- [0] iec61850.pcap
> --------------------------------------------------
> Packet Statistics
> --------------------------------------------------
> daq
>                     pcaps: 1
>                  received: 2739
>                  analyzed: 2739
>                     allow: 2739
>                  rx_bytes: 985615
> --------------------------------------------------
> codec
>                     total: 2739         (100.000%)
>                       arp: 46           (  1.679%)
>                       eth: 2739         (100.000%)
>                     icmp6: 12           (  0.438%)
>                      igmp: 4            (  0.146%)
>                      ipv4: 2658         ( 97.043%)
>                      ipv6: 35           (  1.278%)
>             ipv6_hop_opts: 8            (  0.292%)
>                       tcp: 2594         ( 94.706%)
>                       udp: 83           (  3.030%)
> --------------------------------------------------
> Module Statistics
> --------------------------------------------------
> detection
>                  analyzed: 2739
> --------------------------------------------------
> latency
>             total_packets: 2791
>               total_usecs: 14640
>                 max_usecs: 103
> --------------------------------------------------
> host_tracker
>              service_adds: 1
> --------------------------------------------------
> host_cache
>            lru_cache_adds: 1
>     lru_cache_find_misses: 1
> --------------------------------------------------
> appid
>                   packets: 2693
>         processed_packets: 2693
>            total_sessions: 33
>             appid_unknown: 13
> --------------------------------------------------
> arp_spoof
>                   packets: 46
> --------------------------------------------------
> back_orifice
>                   packets: 75
> --------------------------------------------------
> binder
>                   packets: 25
>                  inspects: 25
> --------------------------------------------------
> dpx
>                   packets: 80
> --------------------------------------------------
> normalizer
>             test_ip4_opts: 4
>          test_tcp_options: 4
>         test_tcp_trim_win: 1
>           test_tcp_ts_nop: 1
> --------------------------------------------------
> port_scan
>                   packets: 2693
> --------------------------------------------------
> ssl
>                   packets: 48
>                   decoded: 48
>      unrecognized_records: 48
>   max_concurrent_sessions: 1
> --------------------------------------------------
> stream
>                  ip_flows: 1
>           ip_total_prunes: 1
>            ip_idle_prunes: 1
>                icmp_flows: 4
>         icmp_total_prunes: 4
>          icmp_idle_prunes: 4
>                 tcp_flows: 4
>                 udp_flows: 16
>          udp_total_prunes: 11
>           udp_idle_prunes: 11
> --------------------------------------------------
> stream_icmp
>                  sessions: 4
>                       max: 4
>                   created: 4
>                  released: 4
> --------------------------------------------------
> stream_ip
>                  sessions: 1
>                       max: 1
>                   created: 1
>                  released: 1
> --------------------------------------------------
> stream_tcp
>                  sessions: 4
>                       max: 4
>                   created: 4
>                  released: 4
>                  timeouts: 2
>              instantiated: 2
>                    setups: 4
>                  restarts: 1
>              syn_trackers: 2
>             data_trackers: 2
>               segs_queued: 1929
>             segs_released: 1929
>                 segs_used: 1929
>           rebuilt_packets: 52
>             rebuilt_bytes: 797387
>           client_cleanups: 3
>           server_cleanups: 3
>                      syns: 2
>                  syn_acks: 2
>                    resets: 1
>                      fins: 1
> --------------------------------------------------
> stream_udp
>                  sessions: 16
>                       max: 16
>                   created: 24
>                  released: 24
>                  timeouts: 8
> --------------------------------------------------
> wizard
>                 tcp_scans: 48
>                  tcp_hits: 1
>                 udp_scans: 83
> --------------------------------------------------
> Appid dynamic stats:
> unknown_app: flows: 12, clients: 0, users: 0, payloads 0, misc: 0
> --------------------------------------------------
> Summary Statistics
> --------------------------------------------------
> timing
>                   runtime: 00:00:00
>                   seconds: 0.216729
>                   packets: 2739
>                  pkts/sec: 2739
> o")~   Snort exiting
>
>
>
> Thank you very much for any help and advices!
>
>
> Best regards,
>
> Li
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.snort.org
> Go to this URL to change user options or unsubscribe:
> https://lists.snort.org/mailman/listinfo/snort-users
>
> 	To unsubscribe, send an email to:
> 	snort-users-leave at lists.snort.org
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>
> Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20190324/a858764d/attachment.html>


More information about the Snort-users mailing list