Snort mailing list archives
Re: Non-Determinism in Snort detection engine
From: Russ via Snort-users <snort-users () lists snort org>
Date: Fri, 7 Jul 2017 08:42:24 -0400
On 7/7/17 7:56 AM, Asad, Hafiz ul wrote:
Yes, it does have an available NFA for fast pattern searches, but that won't cause different alerts. -H uses fixed hash seeds and flush points to ensure repeatable results.Thanks! As I am completely blank with snort engine, Can you confirm that it has some sort of non-determinism (read that it's engine has a non-deterministic automata)??
------------------------------------------------------------------------ *From:* Edward Borgoyn <e.c.borgoyn () ieee org> *Sent:* Friday, July 7, 2017 12:53:43 PM *To:* Asad, Hafiz ul *Cc:* Snort-users () lists snort org; snort-users () lists sourceforge net *Subject:* Re: [Snort-users] Non-Determinism in Snort detection engineIn some situations, the -H option will remove non-deterministic behavior from Snort.On Fri, Jul 7, 2017 at 7:49 AM, Asad, Hafiz ul <Hafiz-ul.Asad () city ac uk <mailto:Hafiz-ul.Asad () city ac uk>> wrote:No! Here is my snort command, snort --pcap-file=/path_to_pcap_file.txt -c snort.conf -l /var/log/snort Asad ------------------------------------------------------------------------ *From:* Edward Borgoyn <e.c.borgoyn () ieee org <mailto:e.c.borgoyn () ieee org>> *Sent:* Friday, July 7, 2017 12:45:52 PM *To:* Asad, Hafiz ul *Cc:* Snort-users () lists snort org <mailto:Snort-users () lists snort org>; snort-users () lists sourceforge net <mailto:snort-users () lists sourceforge net> *Subject:* Re: [Snort-users] Non-Determinism in Snort detection engine Are you running Snort with the -H command line option? On Fri, Jul 7, 2017 at 7:37 AM, Asad, Hafiz ul <Hafiz-ul.Asad () city ac uk <mailto:Hafiz-ul.Asad () city ac uk>> wrote: >> Snort team, >> I have recently observed that snort, having same rules (Pre-processor rules to be precise), have generated different >> number of alerts for the same pcap traffic when run twice. Is there any non-determinism in the snort engine or I might >> have done something wrong with the experiment? To be more precise, in the alerts data in the mysql database, different packets (same source IP, destination but different IP ID) of the same TCP session have been alerted by the same preprocessor rule, SID= 33,GID=119,msg:http_inspect: UNESCAPED SPACE IN HTTP URI . This is after I run the experiment twice for the same pcap data. Asad ------------------------------------------------------------------------ *From:* Asad, Hafiz ul <Hafiz-ul.Asad () city ac uk <mailto:Hafiz-ul.Asad () city ac uk>> *Sent:* Friday, July 7, 2017 12:11:15 PM *To:* Snort-users () lists snort org <mailto:Snort-users () lists snort org>; snort-users () lists sourceforge net <mailto:snort-users () lists sourceforge net> *Subject:* [Snort-users] Fw: Non-Determinism in Snort detection engine ------------------------------------------------------------------------ *From:* Asad, Hafiz ul *Sent:* Thursday, July 6, 2017 5:50 PM *To:* snort-users () lists sourceforge net <mailto:snort-users () lists sourceforge net> *Subject:* Non-Determinism in Snort detection engine Snort team, I have recently observed that snort, having same rules (Pre-processor rules to be precise), have generated different number of alerts for the same pcap traffic when run twice. Is there any non-determinism in the snort engine or I might have done something wrong with the experiment? regards Asad _______________________________________________ Snort-users mailing list Snort-users () lists snort org <mailto:Snort-users () lists snort org> Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users <https://lists.snort.org/mailman/listinfo/snort-users> Please visit http://blog.snort.org to stay current on all the latest Snort news! _______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Fw: Non-Determinism in Snort detection engine Asad, Hafiz ul (Jul 07)
- Re: Non-Determinism in Snort detection engine Asad, Hafiz ul (Jul 07)
- Re: Non-Determinism in Snort detection engine Edward Borgoyn (Jul 07)
- Re: Non-Determinism in Snort detection engine Asad, Hafiz ul (Jul 07)
- Re: Non-Determinism in Snort detection engine Edward Borgoyn (Jul 07)
- Re: Non-Determinism in Snort detection engine Asad, Hafiz ul (Jul 07)
- Re: Non-Determinism in Snort detection engine Russ via Snort-users (Jul 07)
- Re: Non-Determinism in Snort detection engine Asad, Hafiz ul (Jul 07)
- Re: Non-Determinism in Snort detection engine Russ via Snort-users (Jul 07)
- Re: Non-Determinism in Snort detection engine Asad, Hafiz ul (Jul 07)
- Re: Non-Determinism in Snort detection engine Al Lewis (allewi) via Snort-users (Jul 07)
- Re: Non-Determinism in Snort detection engine Asad, Hafiz ul (Jul 07)
- Re: Non-Determinism in Snort detection engine Joel Esler (jesler) via Snort-users (Jul 07)
- Re: Non-Determinism in Snort detection engine Asad, Hafiz ul (Jul 07)
- Re: Non-Determinism in Snort detection engine Edward Borgoyn (Jul 07)
- Re: Non-Determinism in Snort detection engine Asad, Hafiz ul (Jul 07)
- Re: Non-Determinism in Snort detection engine Felix Erlacher (Jul 07)
- Re: Non-Determinism in Snort detection engine Asad, Hafiz ul (Jul 07)
- Message not available
- Re: Non-Determinism in Snort detection engine Felix Erlacher (Jul 07)