Snort mailing list archives

Re: Randomness in Snort engine

From: Hyunseok <hyunseok () ieee org>
Date: Thu, 11 Sep 2014 14:47:30 -0400

Thanks for your reply.

It's true that the "total packets processed" that I showed earlier indeed
pkt-count stats under "HTTP Inspect" section.

However, I am not sure if I fully understand the symptom.

I see that the packet counter is incremented in
SnortHttpInspect(HTTPINSPECT_GLOBAL_CONF *GlobalConf, Packet *p).

Are you saying that Snort assembles MTU-size tcpdump-captured packets to
construct a large HTTP message body, and then re-chops it into a slightly
varying number of "Packet"s which are then injected into
SnortHttpInspect(Packet *p)?

Sorry, I am new to Snort.

Regards,
-HS



On Thu, Sep 11, 2014 at 2:14 PM, Tom Peters (thopeter) <thopeter () cisco com>
wrote:

 Hi,

 A possible explanation for your results.

 Snort divides up very large protocol messages (e.g. HTTP message body)
into pieces for processing. There is a small random increment added to the
piece size that may vary between runs. It's purpose is to prevent the seams
between message pieces from falling in predictable places that might be
exploited to hide something from detection.

 Over a very long run this jitter in the packet boundaries might add up
to a slightly different number of packets.

 Tom


  From: Hyunseok <hyunseok () ieee org>
Reply-To: "hyunseok () ieee org" <hyunseok () ieee org>
Date: Thursday, September 11, 2014 12:33 PM
To: "snort-devel () lists sourceforge net" <snort-devel () lists sourceforge net

Subject: [Snort-devel] Randomness in Snort engine

     Hi,

 I have one question about Snort.

 I was running Snort in offline mode by feeding a tcpdump packet trace to
it.

 I expected that Snort analysis result would be identical when I re-run
Snort multiple times with the same packet trace.

 However, I noticed that the the total packets processed is slightly
different across different runs, which affects other analysis results.

result.0:    Total packets processed:              230718
result.1:    Total packets processed:              230720
result.2:    Total packets processed:              230722
 result.3:    Total packets processed:              230721

 Do you guys have any idea where this slight randomness comes from in
Snort?

 I'm using the default snort configuration with default rule sets.

 This question might be user-oriented, but I thought developers may have
a better idea on the root cause.

 Thanks,
 -HS

------------------------------------------------------------------------------
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Randomness in Snort engine Hyunseok (Sep 11)
- Fwd: Randomness in Snort engine Hyunseok (Sep 11)
- Re: Randomness in Snort engine Tom Peters (thopeter) (Sep 11)
  - Re: Randomness in Snort engine Hyunseok (Sep 11)
    - Re: Randomness in Snort engine Tom Peters (thopeter) (Sep 11)
    - Re: Randomness in Snort engine Hyunseok (Sep 11)
    - Re: Randomness in Snort engine Tom Peters (thopeter) (Sep 12)
    - Re: Randomness in Snort engine Tom Peters (thopeter) (Sep 12)
    - Re: Randomness in Snort engine Hyunseok (Sep 12)