[Snort-devel] Randomness in Snort engine
hyunseok at ...1117...
Thu Sep 11 14:47:30 EDT 2014
Thanks for your reply.
It's true that the "total packets processed" that I showed earlier indeed
pkt-count stats under "HTTP Inspect" section.
However, I am not sure if I fully understand the symptom.
I see that the packet counter is incremented in
SnortHttpInspect(HTTPINSPECT_GLOBAL_CONF *GlobalConf, Packet *p).
Are you saying that Snort assembles MTU-size tcpdump-captured packets to
construct a large HTTP message body, and then re-chops it into a slightly
varying number of "Packet"s which are then injected into
Sorry, I am new to Snort.
On Thu, Sep 11, 2014 at 2:14 PM, Tom Peters (thopeter) <thopeter at ...3461...>
> A possible explanation for your results.
> Snort divides up very large protocol messages (e.g. HTTP message body)
> into pieces for processing. There is a small random increment added to the
> piece size that may vary between runs. It's purpose is to prevent the seams
> between message pieces from falling in predictable places that might be
> exploited to hide something from detection.
> Over a very long run this jitter in the packet boundaries might add up
> to a slightly different number of packets.
> From: Hyunseok <hyunseok at ...1117...>
> Reply-To: "hyunseok at ...1117..." <hyunseok at ...1117...>
> Date: Thursday, September 11, 2014 12:33 PM
> To: "snort-devel at lists.sourceforge.net" <snort-devel at lists.sourceforge.net
> Subject: [Snort-devel] Randomness in Snort engine
> I have one question about Snort.
> I was running Snort in offline mode by feeding a tcpdump packet trace to
> I expected that Snort analysis result would be identical when I re-run
> Snort multiple times with the same packet trace.
> However, I noticed that the the total packets processed is slightly
> different across different runs, which affects other analysis results.
> result.0: Total packets processed: 230718
> result.1: Total packets processed: 230720
> result.2: Total packets processed: 230722
> result.3: Total packets processed: 230721
> Do you guys have any idea where this slight randomness comes from in
> I'm using the default snort configuration with default rule sets.
> This question might be user-oriented, but I thought developers may have
> a better idea on the root cause.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-devel