[Snort-devel] Randomness in Snort engine

Tom Peters (thopeter) thopeter at ...3461...
Thu Sep 11 14:14:14 EDT 2014


A possible explanation for your results.

Snort divides up very large protocol messages (e.g. HTTP message body) into pieces for processing. There is a small random increment added to the piece size that may vary between runs. It's purpose is to prevent the seams between message pieces from falling in predictable places that might be exploited to hide something from detection.

Over a very long run this jitter in the packet boundaries might add up to a slightly different number of packets.


From: Hyunseok <hyunseok at ...1117...<mailto:hyunseok at ...1117...>>
Reply-To: "hyunseok at ...1117...<mailto:hyunseok at ...1117...>" <hyunseok at ...3512...17...<mailto:hyunseok at ...1117...>>
Date: Thursday, September 11, 2014 12:33 PM
To: "snort-devel at lists.sourceforge.net<mailto:snort-devel at ...362....net>" <snort-devel at lists.sourceforge.net<mailto:snort-devel at ...2763...rge.net>>
Subject: [Snort-devel] Randomness in Snort engine


I have one question about Snort.

I was running Snort in offline mode by feeding a tcpdump packet trace to it.

I expected that Snort analysis result would be identical when I re-run Snort multiple times with the same packet trace.

However, I noticed that the the total packets processed is slightly different across different runs, which affects other analysis results.

result.0:    Total packets processed:              230718
result.1:    Total packets processed:              230720
result.2:    Total packets processed:              230722
result.3:    Total packets processed:              230721

Do you guys have any idea where this slight randomness comes from in Snort?

I'm using the default snort configuration with default rule sets.

This question might be user-oriented, but I thought developers may have a better idea on the root cause.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20140911/6c488a1b/attachment.html>

More information about the Snort-devel mailing list