Snort mailing list archives
Re: Snort gives different stats for different runs with the same set of inputs
From: Mahendra Ladhe <lml108 () yahoo com>
Date: Fri, 13 Dec 2013 12:22:24 +0800 (SGT)
Thanks Russ. Using -H, now I get the same stats after each run. So this was due to use of random number generator for seed and scale in hash table usage. Thank you. Mahendra On Friday, 13 December 2013 12:12 AM, Russ Combs <rcombs () sourcefire com> wrote: Try adding -H to your command line and see what happens. On Thu, Dec 12, 2013 at 3:54 AM, Mahendra Ladhe <lml108 () yahoo com> wrote: Hi,
when I run snort more than once on the same input pcap file on the same x86 machine with the same set of arguments, the stats printed are different. Output of snort -V ,,_ -*> Snort! <*- o" )~ Version 2.9.5.6 GRE (Build 208) '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using libpcap version
1.0.0
Using PCRE version: 7.8 2008-09-05 Using ZLIB version: 1.2.3 My command lines to invoke snort: sudo snort -c /blah/blah/snort_rules_asis/etc/snort.conf -r /blah/blah/LLS_DDOS_1.0-dmz.dump -k none >>~/log1 2>>~/log1 sudo snort -c /blah/blah/snort_rules_asis/etc/snort.conf -r /blah/blah/LLS_DDOS_1.0-dmz.dump -k none >>~/log2 2>>~/log2 I'm using the snort.conf that ships with the snort rules 2.9.5.5 as is. I'm having empty snort_rules_asis/rules/white_list.rules snort_rules_asis/rules/black_list.rules files. Here is the relevant part the difference between the two log files generated. $ diff u
~/log1 ~/log2
--- log1 2013-12-12 13:52:31.972748000 +0530 +++ log2 2013-12-12 13:52:31.978745000 +0530 @@ -460,13 +460,13 @@ Injected: 0 =============================================================================== Breakdown by protocol (includes rebuilt packets): - Eth: 394732 (100.000%) + Eth: 394733 (100.000%) VLAN: 0 ( 0.000%) - IP4: 390468 ( 98.920%) + IP4:
390469 ( 98.920%)
Frag: 0 ( 0.000%) ICMP: 3034 ( 0.769%) UDP: 3448 ( 0.874%) - TCP: 383986 ( 97.278%) + TCP: 383987 ( 97.278%) IP6: 0 ( 0.000%) IP6 Ext: 0 ( 0.000%) IP6
Opts: 0 ( 0.000%)
@@ -505,8 +505,8 @@ Bad Chk Sum: 0 ( 0.000%) Bad TTL: 0 ( 0.000%) S5 G 1: 381 ( 0.097%) - S5 G 2: 262 ( 0.066%) - Total: 394732 + S5 G 2: 263 ( 0.067%) + Total: 394733 =============================================================================== Action
Stats:
Alerts: 0 ( 0.000%) @@ -519,10 +519,10 @@ Event: 0 Alert: 0 Verdicts: - Allow: 388534 ( 98.590%) + Allow: 394089 (100.000%) Block: 0 ( 0.000%) Replace: 0 ( 0.000%) - Whitelist: 5555 ( 1.410%) +
Whitelist: 0 ( 0.000%)
Blacklist: 0 ( 0.000%) Ignore: 0 ( 0.000%) =============================================================================== @@ -556,10 +556,10 @@ TCP StreamTrackers Deleted: 9466 TCP Timeouts: 57 TCP Overlaps: 7 - TCP Segments Queued: 85702 - TCP Segments Released: 85702 - TCP Rebuilt Packets: 27267 - TCP Segments Used:
85275
+ TCP Segments Queued: 87295 + TCP Segments Released: 87295 + TCP Rebuilt Packets: 27447 + TCP Segments Used: 86868 TCP Discards: 24 TCP Gaps: 7693 UDP Sessions Created: 734 @@ -594,7 +594,7 @@ HTTP Response Gzip packets extracted: 0 Gzip Compressed Data Processed: n/a Gzip Decompressed Data Processed:
n/a
- Total packets processed: 218796 + Total packets processed: 222212 =============================================================================== SMTP Preprocessor Statistics Total sessions : 524 If I run snort a couple of more times, I see stats, a small part of which differs from the previous run. Could someone please explain the reason behind this ? Thank you. Mahendra ------------------------------------------------------------------------------ Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort gives different stats for different runs with the same set of inputs Mahendra Ladhe (Dec 12)
- Re: Snort gives different stats for different runs with the same set of inputs Russ Combs (Dec 12)
- Re: Snort gives different stats for different runs with the same set of inputs Mahendra Ladhe (Dec 12)
- Re: Snort gives different stats for different runs with the same set of inputs Stephen Fernandis [IT Shared Services – Hub] (Dec 13)
- Re: Snort gives different stats for different runs with the same set of inputs Mahendra Ladhe (Dec 12)
- Re: Snort gives different stats for different runs with the same set of inputs Russ Combs (Dec 12)