[Snort-users] Number of alerts [in]consistency
stefmit at ...11827...
Sat Oct 23 14:31:11 EDT 2004
I have a question regarding alerts being recorded using Snort:
- environment = MacOSX (10.3.5) + Snort 2.1.3 (build 27)
I am trying to analyze alerts created using a file of 3.9MB, as follows:
$ sudo snort -d -c /etc/snort/snort.conf -r my-file.cap
Problem? Different runs, different results, i.e. even though I always
get to see the same number of packets being processed, I get different
number of alerts (!!!). The config file stays the same, and the only
thing that changes is really what I am working on at that time, on my
system (i.e. proobably load related?!?).
So - is snort so sensitive as dropping/failing alerts, even for pcap
files being read-in, depending on the load of the system at that
time?!? I am asking this, because the load of the system is the only
variable I can think of, even though this never goes high, during any
of those runs ...
More information about the Snort-users