Snort mailing list archives

Snort gives different stats for different runs with the same set of inputs

From: Mahendra Ladhe <lml108 () yahoo com>
Date: Thu, 12 Dec 2013 16:54:06 +0800 (SGT)

Hi,
    when I run snort more than once on the same input pcap file on the same x86 machine
with the same set of arguments, the stats printed are different.

Output of snort -V
   
   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.5.6 GRE (Build 208)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.0.0
           Using PCRE version: 7.8 2008-09-05
           Using ZLIB version: 1.2.3

My command lines to invoke snort:

sudo snort -c /blah/blah/snort_rules_asis/etc/snort.conf -r /blah/blah/LLS_DDOS_1.0-dmz.dump -k none >>~/log1 2>>~/log1
sudo snort -c /blah/blah/snort_rules_asis/etc/snort.conf -r /blah/blah/LLS_DDOS_1.0-dmz.dump -k none >>~/log2 2>>~/log2

I'm using the snort.conf that ships with the snort rules 2.9.5.5 as is.

I'm having empty 
snort_rules_asis/rules/white_list.rules
snort_rules_asis/rules/black_list.rules
files.

Here is the relevant part the difference between the two log files generated.
$ diff u ~/log1 ~/log2

--- log1    2013-12-12 13:52:31.972748000 +0530
+++ log2    2013-12-12 13:52:31.978745000 +0530
@@ -460,13 +460,13 @@
    Injected:            0
 ===============================================================================
 Breakdown by protocol (includes rebuilt packets):
-        Eth:       394732 (100.000%)
+        Eth:       394733 (100.000%)
        VLAN:            0 (  0.000%)
-        IP4:       390468 ( 98.920%)
+        IP4:       390469 ( 98.920%)
        Frag:            0 (  0.000%)
        ICMP:         3034 (  0.769%)
         UDP:         3448 (  0.874%)
-        TCP:       383986 ( 97.278%)
+        TCP:       383987 ( 97.278%)
         IP6:            0 (  0.000%)
     IP6 Ext:            0 (  0.000%)
    IP6 Opts:            0 (  0.000%)
@@ -505,8 +505,8 @@
 Bad Chk Sum:            0 (  0.000%)
     Bad TTL:            0 (  0.000%)
      S5 G 1:          381 (  0.097%)
-     S5 G 2:          262 (  0.066%)
-      Total:       394732
+     S5 G 2:          263 (  0.067%)
+      Total:       394733
 ===============================================================================
 Action Stats:
      Alerts:            0 (  0.000%)
@@ -519,10 +519,10 @@
       Event:            0
       Alert:            0
 Verdicts:
-      Allow:       388534 ( 98.590%)
+      Allow:       394089 (100.000%)
       Block:            0 (  0.000%)
     Replace:            0 (  0.000%)
-  Whitelist:         5555 (  1.410%)
+  Whitelist:            0 (  0.000%)
   Blacklist:            0 (  0.000%)
      Ignore:            0 (  0.000%)
 ===============================================================================
@@ -556,10 +556,10 @@
 TCP StreamTrackers Deleted: 9466
               TCP Timeouts: 57
               TCP Overlaps: 7
-       TCP Segments Queued: 85702
-     TCP Segments Released: 85702
-       TCP Rebuilt Packets: 27267
-         TCP Segments Used: 85275
+       TCP Segments Queued: 87295
+     TCP Segments Released: 87295
+       TCP Rebuilt Packets: 27447
+         TCP Segments Used: 86868
               TCP Discards: 24
                   TCP Gaps: 7693
       UDP Sessions Created: 734
@@ -594,7 +594,7 @@
     HTTP Response Gzip packets extracted: 0         
     Gzip Compressed Data Processed:       n/a       
     Gzip Decompressed Data Processed:     n/a       
-    Total packets processed:              218796    
+    Total packets processed:              222212    
 ===============================================================================
 SMTP Preprocessor Statistics
   Total sessions                                    : 524

If I run snort a couple of more times, I see stats, a small part of which differs from the previous run.
Could someone please explain the reason behind this ?

Thank you.
Mahendra

------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT 
organizations don't have a clear picture of how application performance 
affects their revenue. With AppDynamics, you get 100% visibility into your 
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Snort gives different stats for different runs with the same set of inputs Mahendra Ladhe (Dec 12)
- Re: Snort gives different stats for different runs with the same set of inputs Russ Combs (Dec 12)
  - Re: Snort gives different stats for different runs with the same set of inputs Mahendra Ladhe (Dec 12)
    - Re: Snort gives different stats for different runs with the same set of inputs Stephen Fernandis [IT Shared Services – Hub] (Dec 13)