Snort mailing list archives
Re: Snort gives different stats for different runs with the same set of inputs
From: Stephen Fernandis [IT Shared Services – Hub] <fernans () mtn co ug>
Date: Fri, 13 Dec 2013 11:29:42 +0300
Hi Russ/Mehendra, I installed snort on windows 2003 servers properly but when I trying to install apache2.4 I am getting below error. But according to error I uploaded the mod_fcgid.so file in modules, even also I am getting errors. C:\>Ampps\apache\bin\httpd.exe -k install Installing the Apache2.4 service The Apache2.4 service is successfully installed. Testing httpd.conf.... Errors reported here must be corrected before the service can be started. httpd.exe: Syntax error on line 95 of C:/Ampps/apache/conf/httpd.conf: Cannot lo ad modules/mod_fcgid.so into server: The specified module could not be found. Kind Regards, Stephen Fernandis Network & Security Domain, Information Technology |MTN-HUB Cell + 256 785373903 Desk +256 312125995 |email : fernans () mtn co ug<mailto:fernans () mtn co ug> [cid:image001.png@01CEF7F6.9E1AE020] I do not know anyone who has got to the top without hard work. That is the recipe. It will not always get you to the top, but should get you pretty near- In memory of Margaret Thatcher From: Mahendra Ladhe [mailto:lml108 () yahoo com] Sent: Friday, December 13, 2013 7:22 AM To: Russ Combs Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Snort gives different stats for different runs with the same set of inputs Thanks Russ. Using -H, now I get the same stats after each run. So this was due to use of random number generator for seed and scale in hash table usage. Thank you. Mahendra On Friday, 13 December 2013 12:12 AM, Russ Combs <rcombs () sourcefire com<mailto:rcombs () sourcefire com>> wrote: Try adding -H to your command line and see what happens. On Thu, Dec 12, 2013 at 3:54 AM, Mahendra Ladhe <lml108 () yahoo com<mailto:lml108 () yahoo com>> wrote: Hi, when I run snort more than once on the same input pcap file on the same x86 machine with the same set of arguments, the stats printed are different. Output of snort -V ,,_ -*> Snort! <*- o" )~ Version 2.9.5.6 GRE (Build 208) '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using libpcap version 1.0.0 Using PCRE version: 7.8 2008-09-05 Using ZLIB version: 1.2.3 My command lines to invoke snort: sudo snort -c /blah/blah/snort_rules_asis/etc/snort.conf -r /blah/blah/LLS_DDOS_1.0-dmz.dump -k none >>~/log1 2>>~/log1 sudo snort -c /blah/blah/snort_rules_asis/etc/snort.conf -r /blah/blah/LLS_DDOS_1.0-dmz.dump -k none >>~/log2 2>>~/log2 I'm using the snort.conf that ships with the snort rules 2.9.5.5 as is. I'm having empty snort_rules_asis/rules/white_list.rules snort_rules_asis/rules/black_list.rules files. Here is the relevant part the difference between the two log files generated. $ diff u ~/log1 ~/log2 --- log1 2013-12-12 13:52:31.972748000 +0530 +++ log2 2013-12-12 13:52:31.978745000 +0530 @@ -460,13 +460,13 @@ Injected: 0 =============================================================================== Breakdown by protocol (includes rebuilt packets): - Eth: 394732 (100.000%) + Eth: 394733 (100.000%) VLAN: 0 ( 0.000%) - IP4: 390468 ( 98.920%) + IP4: 390469 ( 98.920%) Frag: 0 ( 0.000%) ICMP: 3034 ( 0.769%) UDP: 3448 ( 0.874%) - TCP: 383986 ( 97.278%) + TCP: 383987 ( 97.278%) IP6: 0 ( 0.000%) IP6 Ext: 0 ( 0.000%) IP6 Opts: 0 ( 0.000%) @@ -505,8 +505,8 @@ Bad Chk Sum: 0 ( 0.000%) Bad TTL: 0 ( 0.000%) S5 G 1: 381 ( 0.097%) - S5 G 2: 262 ( 0.066%) - Total: 394732 + S5 G 2: 263 ( 0.067%) + Total: 394733 =============================================================================== Action Stats: Alerts: 0 ( 0.000%) @@ -519,10 +519,10 @@ Event: 0 Alert: 0 Verdicts: - Allow: 388534 ( 98.590%) + Allow: 394089 (100.000%) Block: 0 ( 0.000%) Replace: 0 ( 0.000%) - Whitelist: 5555 ( 1.410%) + Whitelist: 0 ( 0.000%) Blacklist: 0 ( 0.000%) Ignore: 0 ( 0.000%) =============================================================================== @@ -556,10 +556,10 @@ TCP StreamTrackers Deleted: 9466 TCP Timeouts: 57 TCP Overlaps: 7 - TCP Segments Queued: 85702 - TCP Segments Released: 85702 - TCP Rebuilt Packets: 27267 - TCP Segments Used: 85275 + TCP Segments Queued: 87295 + TCP Segments Released: 87295 + TCP Rebuilt Packets: 27447 + TCP Segments Used: 86868 TCP Discards: 24 TCP Gaps: 7693 UDP Sessions Created: 734 @@ -594,7 +594,7 @@ HTTP Response Gzip packets extracted: 0 Gzip Compressed Data Processed: n/a Gzip Decompressed Data Processed: n/a - Total packets processed: 218796 + Total packets processed: 222212 =============================================================================== SMTP Preprocessor Statistics Total sessions : 524 If I run snort a couple of more times, I see stats, a small part of which differs from the previous run. Could someone please explain the reason behind this ? Thank you. Mahendra ------------------------------------------------------------------------------ Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news! ________________________________ NOTE: This e-mail message is subject to the MTN Group disclaimer see http://www.mtn.co.ug/email/Email-disclaimer.aspx
------------------------------------------------------------------------------ Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort gives different stats for different runs with the same set of inputs Mahendra Ladhe (Dec 12)
- Re: Snort gives different stats for different runs with the same set of inputs Russ Combs (Dec 12)
- Re: Snort gives different stats for different runs with the same set of inputs Mahendra Ladhe (Dec 12)
- Re: Snort gives different stats for different runs with the same set of inputs Stephen Fernandis [IT Shared Services – Hub] (Dec 13)
- Re: Snort gives different stats for different runs with the same set of inputs Mahendra Ladhe (Dec 12)
- Re: Snort gives different stats for different runs with the same set of inputs Russ Combs (Dec 12)