Snort mailing list archives
Re: Non-Determinism in Snort detection engine
From: Edward Borgoyn <e.c.borgoyn () ieee org>
Date: Fri, 7 Jul 2017 07:45:52 -0400
Are you running Snort with the -H command line option? On Fri, Jul 7, 2017 at 7:37 AM, Asad, Hafiz ul <Hafiz-ul.Asad () city ac uk> wrote:
Snort team,I have recently observed that snort, having same rules (Pre-processorrules to be precise), have generated differentnumber of alerts for the same pcap traffic when run twice. Is there anynon-determinism in the snort engine or I mighthave done something wrong with the experiment?To be more precise, in the alerts data in the mysql database, different packets (same source IP, destination but different IP ID) of the same TCP session have been alerted by the same preprocessor rule, SID= 33,GID=119,msg: http_inspect: UNESCAPED SPACE IN HTTP URI . This is after I run the experiment twice for the same pcap data. Asad ------------------------------ *From:* Asad, Hafiz ul <Hafiz-ul.Asad () city ac uk> *Sent:* Friday, July 7, 2017 12:11:15 PM *To:* Snort-users () lists snort org; snort-users () lists sourceforge net *Subject:* [Snort-users] Fw: Non-Determinism in Snort detection engine ------------------------------ *From:* Asad, Hafiz ul *Sent:* Thursday, July 6, 2017 5:50 PM *To:* snort-users () lists sourceforge net *Subject:* Non-Determinism in Snort detection engine Snort team, I have recently observed that snort, having same rules (Pre-processor rules to be precise), have generated different number of alerts for the same pcap traffic when run twice. Is there any non-determinism in the snort engine or I might have done something wrong with the experiment? regards Asad _______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Fw: Non-Determinism in Snort detection engine Asad, Hafiz ul (Jul 07)
- Re: Non-Determinism in Snort detection engine Asad, Hafiz ul (Jul 07)
- Re: Non-Determinism in Snort detection engine Edward Borgoyn (Jul 07)
- Re: Non-Determinism in Snort detection engine Asad, Hafiz ul (Jul 07)
- Re: Non-Determinism in Snort detection engine Edward Borgoyn (Jul 07)
- Re: Non-Determinism in Snort detection engine Asad, Hafiz ul (Jul 07)
- Re: Non-Determinism in Snort detection engine Russ via Snort-users (Jul 07)
- Re: Non-Determinism in Snort detection engine Asad, Hafiz ul (Jul 07)
- Re: Non-Determinism in Snort detection engine Russ via Snort-users (Jul 07)
- Re: Non-Determinism in Snort detection engine Asad, Hafiz ul (Jul 07)
- Re: Non-Determinism in Snort detection engine Al Lewis (allewi) via Snort-users (Jul 07)
- Re: Non-Determinism in Snort detection engine Asad, Hafiz ul (Jul 07)
- Re: Non-Determinism in Snort detection engine Joel Esler (jesler) via Snort-users (Jul 07)
- Re: Non-Determinism in Snort detection engine Edward Borgoyn (Jul 07)
- Re: Non-Determinism in Snort detection engine Asad, Hafiz ul (Jul 07)