Snort mailing list archives
Re: Non-Determinism in Snort detection engine
From: Felix Erlacher <felix.erlacher () uibk ac at>
Date: Fri, 7 Jul 2017 14:28:14 +0200
sshfs is for sure not the most performant way to mount remote folders. But I am pretty sure that in this case it is not the cause for you problem because the pcap files will be loaded to memory, before processed by snort. felix On 07/07/17 14:01, Asad, Hafiz ul wrote:
Hi, Thanks for your reply. The files are actually quite big, in hundereds of gigs, but I don't replay them on the network. I am using this , snort --pcap-file=/path_to_pcap_file.txt -c snort.conf -l /var/log/snort However, the path to the list of pcap files, is on another machine having the pcap files. I am just mounting that drive through the "sshfs" to the machine where I am running snort. Could that be the reason? Asad ------------------------------------------------------------------------ *From:* Felix Erlacher <felix.erlacher () uibk ac at> *Sent:* Friday, July 7, 2017 12:44:17 PM *To:* snort-users () lists snort org *Subject:* Re: [Snort-users] Non-Determinism in Snort detection engine Hi Asad, I assume you also have the same rule files for different runs. How do you feed the pcap data to you Snort instance? Reading from a pcap file or replaying it over the network? How big is your pcap dump? Replaying over the network might lead to different packets being lost on different runs and thus leading to different results. greets felix On 07/07/17 13:37, Asad, Hafiz ul wrote:Snort team,I have recently observed that snort, having same rules (Pre-processorrules to be precise), have generated differentnumber of alerts for the same pcap traffic when run twice. Is thereany non-determinism in the snort engine or I mighthave done something wrong with the experiment?To be more precise, in the alerts data in the mysql database, different packets (same source IP, destination but different IP ID) of the same TCP session have been alerted by the same preprocessor rule, SID= 33,GID=119,msg:http_inspect: UNESCAPED SPACE IN HTTP URI . This is after I run the experiment twice for the same pcap data. Asad ------------------------------------------------------------------------ *From:* Asad, Hafiz ul <Hafiz-ul.Asad () city ac uk> *Sent:* Friday, July 7, 2017 12:11:15 PM *To:* Snort-users () lists snort org; snort-users () lists sourceforge net *Subject:* [Snort-users] Fw: Non-Determinism in Snort detection engine ------------------------------------------------------------------------ *From:* Asad, Hafiz ul *Sent:* Thursday, July 6, 2017 5:50 PM *To:* snort-users () lists sourceforge net *Subject:* Non-Determinism in Snort detection engine Snort team, I have recently observed that snort, having same rules (Pre-processor rules to be precise), have generated different number of alerts for the same pcap traffic when run twice. Is there any non-determinism in the snort engine or I might have done something wrong with the experiment? regards Asad_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
-- Felix Erlacher ccs-labs.org/~erlacher Key-ID:4EAC0959 _______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Non-Determinism in Snort detection engine, (continued)
- Re: Non-Determinism in Snort detection engine Russ via Snort-users (Jul 07)
- Re: Non-Determinism in Snort detection engine Asad, Hafiz ul (Jul 07)
- Re: Non-Determinism in Snort detection engine Russ via Snort-users (Jul 07)
- Re: Non-Determinism in Snort detection engine Asad, Hafiz ul (Jul 07)
- Re: Non-Determinism in Snort detection engine Al Lewis (allewi) via Snort-users (Jul 07)
- Re: Non-Determinism in Snort detection engine Asad, Hafiz ul (Jul 07)
- Re: Non-Determinism in Snort detection engine Joel Esler (jesler) via Snort-users (Jul 07)
- Re: Non-Determinism in Snort detection engine Asad, Hafiz ul (Jul 07)
- Re: Non-Determinism in Snort detection engine Felix Erlacher (Jul 07)
- Re: Non-Determinism in Snort detection engine Asad, Hafiz ul (Jul 07)
- Message not available
- Re: Non-Determinism in Snort detection engine Felix Erlacher (Jul 07)