Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Non-Determinism in Snort detection engine

From: Edward Borgoyn <e.c.borgoyn () ieee org>
Date: Fri, 7 Jul 2017 07:53:43 -0400
In some situations, the -H option will remove non-deterministic behavior
from Snort.

On Fri, Jul 7, 2017 at 7:49 AM, Asad, Hafiz ul <Hafiz-ul.Asad () city ac uk>
wrote:


No! Here is my snort command,


snort --pcap-file=/path_to_pcap_file.txt  -c  snort.conf -l /var/log/snort


Asad
------------------------------
*From:* Edward Borgoyn <e.c.borgoyn () ieee org>
*Sent:* Friday, July 7, 2017 12:45:52 PM
*To:* Asad, Hafiz ul
*Cc:* Snort-users () lists snort org; snort-users () lists sourceforge net
*Subject:* Re: [Snort-users] Non-Determinism in Snort detection engine

Are you running Snort with the -H command line option?

On Fri, Jul 7, 2017 at 7:37 AM, Asad, Hafiz ul <Hafiz-ul.Asad () city ac uk>
wrote:


Snort team,



I have recently observed that snort, having same rules (Pre-processor

rules to be precise), have generated different

number of alerts for the same pcap traffic when run twice. Is there

any non-determinism in the snort engine or I might

have done something wrong with the experiment?




To be more precise, in the alerts data in the mysql database, different
packets (same source IP, destination but different IP ID) of the same TCP
session have been alerted by the same preprocessor rule, SID=
33,GID=119,msg: http_inspect: UNESCAPED SPACE IN HTTP URI . This is
after I run the experiment twice for the same pcap data.


Asad
------------------------------
*From:* Asad, Hafiz ul <Hafiz-ul.Asad () city ac uk>
*Sent:* Friday, July 7, 2017 12:11:15 PM
*To:* Snort-users () lists snort org; snort-users () lists sourceforge net
*Subject:* [Snort-users] Fw: Non-Determinism in Snort detection engine





------------------------------
*From:* Asad, Hafiz ul
*Sent:* Thursday, July 6, 2017 5:50 PM
*To:* snort-users () lists sourceforge net
*Subject:* Non-Determinism in Snort detection engine


Snort team,


I have recently observed that snort, having same rules (Pre-processor
rules to be precise), have generated different number of alerts for the
same pcap traffic when run twice. Is there any non-determinism in the snort
engine or I might have done something wrong with the experiment?


regards

Asad

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!





_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: