[Snort-users] snort at a bakeoff.

n3m3s1s at ...1284... n3m3s1s at ...1284...
Sun Jan 6 04:06:04 EST 2002


-----BEGIN PGP SIGNED MESSAGE-----

Hi all,
        I'm running snort in a bakeoff against some other IDSs, and I'm getting some funny results.  To begin with, I'm running in the foreground just to make sure it's seeing the correct traffic (snort -i eth2 -L test.log).  I've included only the web rules, and I have about 500 sigs loaded, so it's definitely using the snort.conf that I've created.  System and traffic specifics are given below.

1st Problem:  While snort is running, I'd been opening another window and doing "snort -r test.log" just to keep an eye on what's going on.  When I do this, one of two things happen:

1.  Snort segfaults.
2.  I get real funky results, like only ICMP Port Unreachable alerts (if any) and a total packet count of 0 -5.

It doesn't appear that I should be trying to run 2 instances of snort concurrently?

2nd Problem:  If I don't try to run snort a second time and just wait for the test to finish, then Ctrl-C, I get a real high drop rate (around 50-60%), but the packet counts seem reasonable.  Alerts, Logged, and Passed all say 0.

If I run tcpdump on the same interface, I see tons of web traffic, and the other IDSs in the bakeoff see it too.
I don't have my snort.conf file to show, but for the most part it's pretty vanilla.  I changed my home net, and commented out some of the rules (everything except web), but other than that it's stock.

I'm a bit at a loss, and any help would be GREATLY appreciated.

Traffic:  real world.  Lot's of web, DNS - loaded with attacks.  As per Marcus Ranum's new paper, I'm "Comparatively Measuring IDSs Against Each Other".  Traffic Rate should be like 120Mbit/s spiking to 150Mbit/s.

IDS: Dual 1.0 GHz, 512M RAM, Syskonnect Gigabit Card.  It's basically the Enterasys appliance that I'm horning to
test snort (they are one of the IDSs being tested).

Thanks guys/gals,

Norm Msis
Security Consultant
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.1
Note: This signature can be verified at https://www.hushtools.com

wlwEARECABwFAjw4PYkVHG4zbTNzMXNAaHVzaG1haWwuY29tAAoJEFhAkA76am0f2tcA
oIWJqPNp/vOqMMgxCKXO0lYG39+aAKC826aKndOAoJpN2RvTrJBFKeJYcA==
=297e
-----END PGP SIGNATURE-----





More information about the Snort-users mailing list