[Snort-users] Snort gives different stats for different runs with the same set of inputs

Stephen Fernandis [IT Shared Services – Hub] fernans at ...16617...
Fri Dec 13 03:29:42 EST 2013


Hi Russ/Mehendra,

I installed snort on windows 2003 servers properly but when I trying to install apache2.4 I am getting below error. But according to error I uploaded the mod_fcgid.so file in modules, even also I am getting errors.

C:\>Ampps\apache\bin\httpd.exe -k install
Installing the Apache2.4 service
The Apache2.4 service is successfully installed.
Testing httpd.conf....
Errors reported here must be corrected before the service can be started.
httpd.exe: Syntax error on line 95 of C:/Ampps/apache/conf/httpd.conf: Cannot lo
ad modules/mod_fcgid.so into server: The specified module could not be found.

Kind Regards,
Stephen Fernandis
Network & Security Domain, Information Technology |MTN-HUB
Cell + 256 785373903 Desk +256 312125995 |email : fernans at ...16617...<mailto:fernans at ...16617...>
[cid:image001.png at ...16618...]

I do not know anyone who has got to the top without hard work. That is the recipe. It will not always get you to the top, but should get you pretty near- In memory of Margaret Thatcher

From: Mahendra Ladhe [mailto:lml108 at ...131...]
Sent: Friday, December 13, 2013 7:22 AM
To: Russ Combs
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Snort gives different stats for different runs with the same set of inputs

Thanks Russ. Using -H, now I get the same stats after each run.
So this was due to use of random number generator for seed and scale
in hash table usage.

Thank you.
Mahendra

On Friday, 13 December 2013 12:12 AM, Russ Combs <rcombs at ...1935...<mailto:rcombs at ...1935...>> wrote:
Try adding -H to your command line and see what happens.

On Thu, Dec 12, 2013 at 3:54 AM, Mahendra Ladhe <lml108 at ...131...<mailto:lml108 at ...131...>> wrote:
Hi,
    when I run snort more than once on the same input pcap file on the same x86 machine
with the same set of arguments, the stats printed are different.

Output of snort -V

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.5.6 GRE (Build 208)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.0.0
           Using PCRE version: 7.8 2008-09-05
           Using ZLIB version: 1.2.3

My command lines to invoke snort:

sudo snort -c /blah/blah/snort_rules_asis/etc/snort.conf -r /blah/blah/LLS_DDOS_1.0-dmz.dump -k none >>~/log1 2>>~/log1
sudo snort -c /blah/blah/snort_rules_asis/etc/snort.conf -r /blah/blah/LLS_DDOS_1.0-dmz.dump -k none >>~/log2 2>>~/log2

I'm using the snort.conf that ships with the snort rules 2.9.5.5 as is.

I'm having empty
snort_rules_asis/rules/white_list.rules
snort_rules_asis/rules/black_list.rules
files.

Here is the relevant part the difference between the two log files generated.
$ diff u ~/log1 ~/log2

--- log1    2013-12-12 13:52:31.972748000 +0530
+++ log2    2013-12-12 13:52:31.978745000 +0530
@@ -460,13 +460,13 @@
    Injected:            0
 ===============================================================================
 Breakdown by protocol (includes rebuilt packets):
-        Eth:       394732 (100.000%)
+        Eth:       394733 (100.000%)
        VLAN:            0 (  0.000%)
-        IP4:       390468 ( 98.920%)
+        IP4:       390469 ( 98.920%)
        Frag:            0 (  0.000%)
        ICMP:         3034 (  0.769%)
         UDP:         3448 (  0.874%)
-        TCP:       383986 ( 97.278%)
+        TCP:       383987 ( 97.278%)
         IP6:            0 (  0.000%)
     IP6 Ext:            0 (  0.000%)
    IP6 Opts:            0 (  0.000%)
@@ -505,8 +505,8 @@
 Bad Chk Sum:            0 (  0.000%)
     Bad TTL:            0 (  0.000%)
      S5 G 1:          381 (  0.097%)
-     S5 G 2:          262 (  0.066%)
-      Total:       394732
+     S5 G 2:          263 (  0.067%)
+      Total:       394733
 ===============================================================================
 Action Stats:
      Alerts:            0 (  0.000%)
@@ -519,10 +519,10 @@
       Event:            0
       Alert:            0
 Verdicts:
-      Allow:       388534 ( 98.590%)
+      Allow:       394089 (100.000%)
       Block:            0 (  0.000%)
     Replace:            0 (  0.000%)
-  Whitelist:         5555 (  1.410%)
+  Whitelist:            0 (  0.000%)
   Blacklist:            0 (  0.000%)
      Ignore:            0 (  0.000%)
 ===============================================================================
@@ -556,10 +556,10 @@
 TCP StreamTrackers Deleted: 9466
               TCP Timeouts: 57
               TCP Overlaps: 7
-       TCP Segments Queued: 85702
-     TCP Segments Released: 85702
-       TCP Rebuilt Packets: 27267
-         TCP Segments Used: 85275
+       TCP Segments Queued: 87295
+     TCP Segments Released: 87295
+       TCP Rebuilt Packets: 27447
+         TCP Segments Used: 86868
               TCP Discards: 24
                   TCP Gaps: 7693
       UDP Sessions Created: 734
@@ -594,7 +594,7 @@
     HTTP Response Gzip packets extracted: 0
     Gzip Compressed Data Processed:       n/a
     Gzip Decompressed Data Processed:     n/a
-    Total packets processed:              218796
+    Total packets processed:              222212
 ===============================================================================
 SMTP Preprocessor Statistics
   Total sessions                                    : 524

If I run snort a couple of more times, I see stats, a small part of which differs from the previous run.
Could someone please explain the reason behind this ?

Thank you.
Mahendra

------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!



________________________________
NOTE: This e-mail message is subject to the MTN Group disclaimer see http://www.mtn.co.ug/email/Email-disclaimer.aspx
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20131213/7afffc49/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 2571 bytes
Desc: image001.png
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20131213/7afffc49/attachment.png>


More information about the Snort-users mailing list