[Snort-users] Snort3 Plugin DPX only get a small amount of packets

Jianyu Li jli31 at qub.ac.uk
Mon Mar 25 04:37:02 EDT 2019


Hi Russ,


Thank you very much!

Yes I think I figure it out, Carter helped me to understand the process in Snort. I wrote a simple StreamSplitter for dpx and it works well! I didn't think of breaking in eval function before, that's a very good suggestion!


Best regards,

Li

________________________________
From: Snort-users <snort-users-bounces at lists.snort.org> on behalf of Russ via Snort-users <snort-users at lists.snort.org>
Sent: 24 March 2019 20:11:25
To: snort-users at lists.snort.org
Subject: Re: [Snort-users] Snort3 Plugin DPX only get a small amount of packets

Hey Li,

Did you figure this out?  In general, and indirectly, stream_tcp will pass rebuilt packets (PDUs) to the service inspector but that depends on the StreamSplitter.  The best way to figure out what's going on is to break in your eval function and examine the call stack.

Hope that helps.
Russ

On 3/11/19 4:13 AM, Jianyu Li via Snort-users wrote:

Hey guys,


Any idea how snort passes packets to plugin inspectors?

I read that Stream inspector is responsible for TCP reassembly, so is it also passing packets to other inspectors after reassembly of packets?


Thanks

Li



________________________________
From: Snort-users <snort-users-bounces at lists.snort.org><mailto:snort-users-bounces at lists.snort.org> on behalf of Jianyu Li via Snort-users <snort-users at lists.snort.org><mailto:snort-users at lists.snort.org>
Sent: 08 March 2019 09:11
To: snort-users at lists.snort.org<mailto:snort-users at lists.snort.org>
Subject: [Snort-users] Snort3 Plugin DPX only get a small amount of packets


Hi,


I run the snort3 plugin but only got 80 packets in my plugin. The total amount of packet in summary is 2739.

The question is why I can only got 80 packets instead of all packets in the pcap file.

I am not sure what's the mechanism in Snort3 to pass packets to different components.


The eval function in my plugin is just one line:

void Dpx::eval(Packet* p)
{
    ++dpxstats.total_packets;
}


The output showed that there are only 80 packets passed to the dpx:


--------------------------------------------------
dpx
                  packets: 80
--------------------------------------------------


The command I run is:


root at ubuntudesk1:~# snort --plugin-path /usr/local/lib -c /usr/local/etc/snort/snort.lua --lua "dpx={}" -r iec61850.pcap
--------------------------------------------------
o")~   Snort++ 3.0.0-249
--------------------------------------------------
Disabling profiler because signal 27 handler is already in use.
Loading /usr/local/etc/snort/snort.lua:
        ssh
        pop
        binder
        stream_tcp
        gtp_inspect
        dce_http_proxy
        stream_icmp
        normalizer
        ftp_server
        stream_udp
        dce_smb
        dpx
        ips
        modbus
        rpc_decode
        latency
        wizard
        appid
        file_id
        ftp_data
        smtp
        back_orifice
        port_scan
        dce_http_server
        dce_tcp
        telnet
        ssl
        sip
        classifications
        http2_inspect
        http_inspect
        stream_user
        stream_ip
        dnp3
        ftp_client
        stream
        references
        arp_spoof
        dns
        dce_udp
        imap
        stream_file
Finished /usr/local/etc/snort/snort.lua.
--------------------------------------------------
pcap DAQ configured to read-file.
Commencing packet processing
++ [0] iec61850.pcap
-- [0] iec61850.pcap
--------------------------------------------------
Packet Statistics
--------------------------------------------------
daq
                    pcaps: 1
                 received: 2739
                 analyzed: 2739
                    allow: 2739
                 rx_bytes: 985615
--------------------------------------------------
codec
                    total: 2739         (100.000%)
                      arp: 46           (  1.679%)
                      eth: 2739         (100.000%)
                    icmp6: 12           (  0.438%)
                     igmp: 4            (  0.146%)
                     ipv4: 2658         ( 97.043%)
                     ipv6: 35           (  1.278%)
            ipv6_hop_opts: 8            (  0.292%)
                      tcp: 2594         ( 94.706%)
                      udp: 83           (  3.030%)
--------------------------------------------------
Module Statistics
--------------------------------------------------
detection
                 analyzed: 2739
--------------------------------------------------
latency
            total_packets: 2791
              total_usecs: 14640
                max_usecs: 103
--------------------------------------------------
host_tracker
             service_adds: 1
--------------------------------------------------
host_cache
           lru_cache_adds: 1
    lru_cache_find_misses: 1
--------------------------------------------------
appid
                  packets: 2693
        processed_packets: 2693
           total_sessions: 33
            appid_unknown: 13
--------------------------------------------------
arp_spoof
                  packets: 46
--------------------------------------------------
back_orifice
                  packets: 75
--------------------------------------------------
binder
                  packets: 25
                 inspects: 25
--------------------------------------------------
dpx
                  packets: 80
--------------------------------------------------
normalizer
            test_ip4_opts: 4
         test_tcp_options: 4
        test_tcp_trim_win: 1
          test_tcp_ts_nop: 1
--------------------------------------------------
port_scan
                  packets: 2693
--------------------------------------------------
ssl
                  packets: 48
                  decoded: 48
     unrecognized_records: 48
  max_concurrent_sessions: 1
--------------------------------------------------
stream
                 ip_flows: 1
          ip_total_prunes: 1
           ip_idle_prunes: 1
               icmp_flows: 4
        icmp_total_prunes: 4
         icmp_idle_prunes: 4
                tcp_flows: 4
                udp_flows: 16
         udp_total_prunes: 11
          udp_idle_prunes: 11
--------------------------------------------------
stream_icmp
                 sessions: 4
                      max: 4
                  created: 4
                 released: 4
--------------------------------------------------
stream_ip
                 sessions: 1
                      max: 1
                  created: 1
                 released: 1
--------------------------------------------------
stream_tcp
                 sessions: 4
                      max: 4
                  created: 4
                 released: 4
                 timeouts: 2
             instantiated: 2
                   setups: 4
                 restarts: 1
             syn_trackers: 2
            data_trackers: 2
              segs_queued: 1929
            segs_released: 1929
                segs_used: 1929
          rebuilt_packets: 52
            rebuilt_bytes: 797387
          client_cleanups: 3
          server_cleanups: 3
                     syns: 2
                 syn_acks: 2
                   resets: 1
                     fins: 1
--------------------------------------------------
stream_udp
                 sessions: 16
                      max: 16
                  created: 24
                 released: 24
                 timeouts: 8
--------------------------------------------------
wizard
                tcp_scans: 48
                 tcp_hits: 1
                udp_scans: 83
--------------------------------------------------
Appid dynamic stats:
unknown_app: flows: 12, clients: 0, users: 0, payloads 0, misc: 0
--------------------------------------------------
Summary Statistics
--------------------------------------------------
timing
                  runtime: 00:00:00
                  seconds: 0.216729
                  packets: 2739
                 pkts/sec: 2739
o")~   Snort exiting



Thank you very much for any help and advices!


Best regards,

Li



_______________________________________________
Snort-users mailing list
Snort-users at lists.snort.org<mailto:Snort-users at lists.snort.org>
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave at lists.snort.org<mailto:snort-users-leave at lists.snort.org>

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20190325/6260ed3b/attachment.html>


More information about the Snort-users mailing list