Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort gives different stats for different runs with the same set of inputs

From: Stephen Fernandis [IT Shared Services – Hub] <fernans () mtn co ug>
Date: Fri, 13 Dec 2013 11:29:42 +0300
Hi Russ/Mehendra,

I installed snort on windows 2003 servers properly but when I trying to install apache2.4 I am getting below error. But 
according to error I uploaded the mod_fcgid.so file in modules, even also I am getting errors.

C:\>Ampps\apache\bin\httpd.exe -k install
Installing the Apache2.4 service
The Apache2.4 service is successfully installed.
Testing httpd.conf....
Errors reported here must be corrected before the service can be started.
httpd.exe: Syntax error on line 95 of C:/Ampps/apache/conf/httpd.conf: Cannot lo
ad modules/mod_fcgid.so into server: The specified module could not be found.

Kind Regards,
Stephen Fernandis
Network & Security Domain, Information Technology |MTN-HUB
Cell + 256 785373903 Desk +256 312125995 |email : fernans () mtn co ug<mailto:fernans () mtn co ug>
[cid:image001.png@01CEF7F6.9E1AE020]

I do not know anyone who has got to the top without hard work. That is the recipe. It will not always get you to the 
top, but should get you pretty near- In memory of Margaret Thatcher

From: Mahendra Ladhe [mailto:lml108 () yahoo com]
Sent: Friday, December 13, 2013 7:22 AM
To: Russ Combs
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Snort gives different stats for different runs with the same set of inputs

Thanks Russ. Using -H, now I get the same stats after each run.
So this was due to use of random number generator for seed and scale
in hash table usage.

Thank you.
Mahendra

On Friday, 13 December 2013 12:12 AM, Russ Combs <rcombs () sourcefire com<mailto:rcombs () sourcefire com>> wrote:
Try adding -H to your command line and see what happens.

On Thu, Dec 12, 2013 at 3:54 AM, Mahendra Ladhe <lml108 () yahoo com<mailto:lml108 () yahoo com>> wrote:
Hi,
    when I run snort more than once on the same input pcap file on the same x86 machine
with the same set of arguments, the stats printed are different.

Output of snort -V

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.5.6 GRE (Build 208)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.0.0
           Using PCRE version: 7.8 2008-09-05
           Using ZLIB version: 1.2.3

My command lines to invoke snort:

sudo snort -c /blah/blah/snort_rules_asis/etc/snort.conf -r /blah/blah/LLS_DDOS_1.0-dmz.dump -k none >>~/log1 2>>~/log1
sudo snort -c /blah/blah/snort_rules_asis/etc/snort.conf -r /blah/blah/LLS_DDOS_1.0-dmz.dump -k none >>~/log2 2>>~/log2

I'm using the snort.conf that ships with the snort rules 2.9.5.5 as is.

I'm having empty
snort_rules_asis/rules/white_list.rules
snort_rules_asis/rules/black_list.rules
files.

Here is the relevant part the difference between the two log files generated.
$ diff u ~/log1 ~/log2

--- log1    2013-12-12 13:52:31.972748000 +0530
+++ log2    2013-12-12 13:52:31.978745000 +0530
@@ -460,13 +460,13 @@
    Injected:            0
 ===============================================================================
 Breakdown by protocol (includes rebuilt packets):
-        Eth:       394732 (100.000%)
+        Eth:       394733 (100.000%)
        VLAN:            0 (  0.000%)
-        IP4:       390468 ( 98.920%)
+        IP4:       390469 ( 98.920%)
        Frag:            0 (  0.000%)
        ICMP:         3034 (  0.769%)
         UDP:         3448 (  0.874%)
-        TCP:       383986 ( 97.278%)
+        TCP:       383987 ( 97.278%)
         IP6:            0 (  0.000%)
     IP6 Ext:            0 (  0.000%)
    IP6 Opts:            0 (  0.000%)
@@ -505,8 +505,8 @@
 Bad Chk Sum:            0 (  0.000%)
     Bad TTL:            0 (  0.000%)
      S5 G 1:          381 (  0.097%)
-     S5 G 2:          262 (  0.066%)
-      Total:       394732
+     S5 G 2:          263 (  0.067%)
+      Total:       394733
 ===============================================================================
 Action Stats:
      Alerts:            0 (  0.000%)
@@ -519,10 +519,10 @@
       Event:            0
       Alert:            0
 Verdicts:
-      Allow:       388534 ( 98.590%)
+      Allow:       394089 (100.000%)
       Block:            0 (  0.000%)
     Replace:            0 (  0.000%)
-  Whitelist:         5555 (  1.410%)
+  Whitelist:            0 (  0.000%)
   Blacklist:            0 (  0.000%)
      Ignore:            0 (  0.000%)
 ===============================================================================
@@ -556,10 +556,10 @@
 TCP StreamTrackers Deleted: 9466
               TCP Timeouts: 57
               TCP Overlaps: 7
-       TCP Segments Queued: 85702
-     TCP Segments Released: 85702
-       TCP Rebuilt Packets: 27267
-         TCP Segments Used: 85275
+       TCP Segments Queued: 87295
+     TCP Segments Released: 87295
+       TCP Rebuilt Packets: 27447
+         TCP Segments Used: 86868
               TCP Discards: 24
                   TCP Gaps: 7693
       UDP Sessions Created: 734
@@ -594,7 +594,7 @@
     HTTP Response Gzip packets extracted: 0
     Gzip Compressed Data Processed:       n/a
     Gzip Decompressed Data Processed:     n/a
-    Total packets processed:              218796
+    Total packets processed:              222212
 ===============================================================================
 SMTP Preprocessor Statistics
   Total sessions                                    : 524

If I run snort a couple of more times, I see stats, a small part of which differs from the previous run.
Could someone please explain the reason behind this ?

Thank you.
Mahendra

------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!



________________________________
NOTE: This e-mail message is subject to the MTN Group disclaimer see http://www.mtn.co.ug/email/Email-disclaimer.aspx


------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT 
organizations don't have a clear picture of how application performance 
affects their revenue. With AppDynamics, you get 100% visibility into your 
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: