Number of alerts [in]consistency

[Stef <stefmit () gmail com>]

Hi,

I have a question regarding alerts being recorded using Snort:

- environment = MacOSX (10.3.5) + Snort 2.1.3 (build 27)

I am trying to analyze alerts created using a file of 3.9MB, as follows:

$ sudo snort -d -c /etc/snort/snort.conf -r my-file.cap

Problem? Different runs, different results, i.e. even though I always
get to see the same number of packets being processed, I get different
number of alerts (!!!). The config file stays the same, and the only
thing that changes is really what I am working on at that time, on my
system (i.e. proobably load related?!?).

So - is snort so sensitive as dropping/failing alerts, even for pcap
files being read-in, depending on the load of the system at that
time?!? I am asking this, because the load of the system is the only
variable I can think of, even though this never goes high, during any
of those runs ...

TIA,
Stef


-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users