[Snort-users] Snort gives different stats for different runs with the same set of inputs

Mahendra Ladhe lml108 at ...131...
Thu Dec 12 23:22:24 EST 2013


Thanks Russ. Using -H, now I get the same stats after each run.

So this was due to use of random number generator for seed and scale
in hash table usage.

Thank you.
Mahendra




On Friday, 13 December 2013 12:12 AM, Russ Combs <rcombs at ...1935...> wrote:
 
Try adding -H to your command line and see what happens.




On Thu, Dec 12, 2013 at 3:54 AM, Mahendra Ladhe <lml108 at ...131...> wrote:

Hi,
>    when I run snort more than once on the same input pcap file on the same x86 machine
>with the same set of arguments, the stats printed are different.
>
>Output of snort -V
>   
>   ,,_     -*> Snort! <*-
>  o"  )~   Version 2.9.5.6 GRE (Build 208)
>   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
>           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
>           Using libpcap version
 1.0.0
>           Using PCRE version: 7.8 2008-09-05
>           Using ZLIB version: 1.2.3
>
>My command lines to invoke snort:
>
>sudo snort -c /blah/blah/snort_rules_asis/etc/snort.conf -r /blah/blah/LLS_DDOS_1.0-dmz.dump -k none >>~/log1 2>>~/log1
>sudo snort -c /blah/blah/snort_rules_asis/etc/snort.conf -r /blah/blah/LLS_DDOS_1.0-dmz.dump -k none >>~/log2 2>>~/log2
>
>I'm using the snort.conf that ships with the snort rules 2.9.5.5 as is.
>
>I'm having empty 
>snort_rules_asis/rules/white_list.rules
>snort_rules_asis/rules/black_list.rules
>files.
>
>Here is the relevant part the difference between the two log files generated.
>$ diff u
 ~/log1 ~/log2
>
>--- log1    2013-12-12 13:52:31.972748000 +0530
>+++ log2    2013-12-12 13:52:31.978745000 +0530
>@@ -460,13 +460,13 @@
>    Injected:            0
> ===============================================================================
> Breakdown by protocol (includes rebuilt packets):
>-        Eth:       394732 (100.000%)
>+        Eth:       394733 (100.000%)
>        VLAN:            0 (  0.000%)
>-        IP4:       390468 ( 98.920%)
>+        IP4:      
 390469 ( 98.920%)
>        Frag:            0 (  0.000%)
>        ICMP:         3034 (  0.769%)
>         UDP:         3448 (  0.874%)
>-        TCP:       383986 ( 97.278%)
>+        TCP:       383987 ( 97.278%)
>         IP6:            0 (  0.000%)
>     IP6 Ext:            0 (  0.000%)
>    IP6
 Opts:            0 (  0.000%)
>@@ -505,8 +505,8 @@
> Bad Chk Sum:            0 (  0.000%)
>     Bad TTL:            0 (  0.000%)
>      S5 G 1:          381 (  0.097%)
>-     S5 G 2:          262 (  0.066%)
>-      Total:       394732
>+     S5 G 2:          263 (  0.067%)
>+      Total:       394733
> ===============================================================================
> Action
 Stats:
>      Alerts:            0 (  0.000%)
>@@ -519,10 +519,10 @@
>       Event:            0
>       Alert:            0
> Verdicts:
>-      Allow:       388534 ( 98.590%)
>+      Allow:       394089 (100.000%)
>       Block:            0 (  0.000%)
>     Replace:            0 (  0.000%)
>-  Whitelist:         5555 (  1.410%)
> Whitelist:            0 (  0.000%)
>   Blacklist:            0 (  0.000%)
>      Ignore:            0 (  0.000%)
> ===============================================================================
>@@ -556,10 +556,10 @@
> TCP StreamTrackers Deleted: 9466
>               TCP Timeouts: 57
>               TCP Overlaps: 7
>-       TCP Segments Queued: 85702
>-     TCP Segments Released: 85702
>-       TCP Rebuilt Packets: 27267
>-         TCP Segments Used:
 85275
>+       TCP Segments Queued: 87295
>+     TCP Segments Released: 87295
>+       TCP Rebuilt Packets: 27447
>+         TCP Segments Used: 86868
>               TCP Discards: 24
>                   TCP Gaps: 7693
>       UDP Sessions Created: 734
>@@ -594,7 +594,7 @@
>     HTTP Response Gzip packets extracted: 0         
>     Gzip Compressed Data Processed:       n/a       
>     Gzip Decompressed Data Processed:    
 n/a       
>-    Total packets processed:              218796    
>+    Total packets processed:              222212    
> ===============================================================================
> SMTP Preprocessor Statistics
>   Total sessions                                    : 524
>
>
>If I run snort a couple of more times, I see stats, a small part of which differs from the previous run.
>Could someone please explain the reason behind this ?
>
>
>Thank you.
>Mahendra
>
>------------------------------------------------------------------------------
>Rapidly troubleshoot problems before they affect your business. Most IT
>organizations don't have a clear picture of how application performance
>affects their revenue. With AppDynamics, you get 100% visibility into your
>Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
>http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
>Please visit http://blog.snort.org to stay current on all the latest Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20131213/7d34e432/attachment.html>


More information about the Snort-users mailing list