[Snort-users] Number of alerts [in]consistency

Stef stefmit at ...11827...
Sat Oct 23 14:31:11 EDT 2004


Hi,

I have a question regarding alerts being recorded using Snort:

- environment = MacOSX (10.3.5) + Snort 2.1.3 (build 27)

I am trying to analyze alerts created using a file of 3.9MB, as follows:

$ sudo snort -d -c /etc/snort/snort.conf -r my-file.cap

Problem? Different runs, different results, i.e. even though I always
get to see the same number of packets being processed, I get different
number of alerts (!!!). The config file stays the same, and the only
thing that changes is really what I am working on at that time, on my
system (i.e. proobably load related?!?).

So - is snort so sensitive as dropping/failing alerts, even for pcap
files being read-in, depending on the load of the system at that
time?!? I am asking this, because the load of the system is the only
variable I can think of, even though this never goes high, during any
of those runs ...

TIA,
Stef




More information about the Snort-users mailing list