<html><body><div style="color:#000; background-color:#fff; font-family:times new roman, new york, times, serif;font-size:14pt">Thanks Russ. Using -H, now I get the same stats after each run.<br><div><span>So this was due to use of random number generator for seed and scale</span></div><div style="color: rgb(0, 0, 0); font-size: 18.6667px; font-family: times new roman,new york,times,serif; background-color: transparent; font-style: normal;"><span>in hash table usage.</span></div><div style="color: rgb(0, 0, 0); font-size: 18.6667px; font-family: times new roman,new york,times,serif; background-color: transparent; font-style: normal;"><br><span></span></div><div style="color: rgb(0, 0, 0); font-size: 18.6667px; font-family: times new roman,new york,times,serif; background-color: transparent; font-style: normal;"><span>Thank you.</span></div><div style="color: rgb(0, 0, 0); font-size: 18.6667px; font-family: times new roman,new york,times,serif;
 background-color: transparent; font-style: normal;"><span>Mahendra<br></span></div><div style="display: block;" class="yahoo_quoted"> <br> <br> <div style="font-family: times new roman, new york, times, serif; font-size: 14pt;"> <div style="font-family: times new roman, new york, times, serif; font-size: 12pt;"> <div dir="ltr"> <font face="Arial" size="2"> On Friday, 13 December 2013 12:12 AM, Russ Combs <rcombs@...1935...> wrote:<br> </font> </div>  <div class="y_msg_container"><div id="yiv1974238112"><div><div dir="ltr">Try adding -H to your command line and see what happens.<br clear="none"></div><div class="yiv1974238112gmail_extra"><br clear="none"><br clear="none"><div class="yiv1974238112gmail_quote">On Thu, Dec 12, 2013 at 3:54 AM, Mahendra Ladhe <span dir="ltr"><<a rel="nofollow" shape="rect" ymailto="mailto:lml108@...131..." target="_blank" href="mailto:lml108@...131...">lml108@...131...</a>></span> wrote:<br clear="none">
<blockquote class="yiv1974238112gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><div class="yiv1974238112yqt5294739828" id="yiv1974238112yqt94520"><div><div style="font-size:14pt;font-family:times new roman, new york, times, serif;"><div>Hi,<br clear="none">    when I run snort more than once on the same input pcap file on the same x86 machine</div>
<div style="font-style:normal;font-size:18.6667px;background-color:transparent;font-family:times new roman, new york, times, serif;">with the same set of arguments, the stats printed are different.<br clear="none"><br clear="none">Output of snort -V<br clear="none">
   <br clear="none">   ,,_     -*> Snort! <*-<br clear="none">  o"  )~   Version 2.9.5.6 GRE (Build 208)<br clear="none">   ''''    By Martin Roesch & The Snort Team: <a rel="nofollow" shape="rect" target="_blank" href="http://www.snort.org/snort/snort-team">http://www.snort.org/snort/snort-team</a><br clear="none">
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.<br clear="none">           Using libpcap version
 1.0.0<br clear="none">           Using PCRE version: 7.8 2008-09-05<br clear="none">           Using ZLIB version: 1.2.3<br clear="none"><br clear="none">My command lines to invoke snort:<br clear="none"><br clear="none">sudo snort -c /blah/blah/snort_rules_asis/etc/snort.conf -r /blah/blah/LLS_DDOS_1.0-dmz.dump -k none >>~/log1 2>>~/log1<br clear="none">
sudo snort -c /blah/blah/snort_rules_asis/etc/snort.conf -r /blah/blah/LLS_DDOS_1.0-dmz.dump -k none >>~/log2 2>>~/log2<br clear="none"><br clear="none">I'm using the snort.conf that ships with the snort rules 2.9.5.5 as is.</div><div style="font-style:normal;font-size:18.6667px;background-color:transparent;font-family:times new roman, new york, times, serif;">
<br clear="none">I'm having empty <br clear="none">snort_rules_asis/rules/white_list.rules<br clear="none">snort_rules_asis/rules/black_list.rules<br clear="none">files.<br clear="none"><br clear="none">Here is the relevant part the difference between the two log files generated.<br clear="none">$ diff u
 ~/log1 ~/log2<br clear="none"><br clear="none">--- log1    2013-12-12 13:52:31.972748000 +0530<br clear="none">+++ log2    2013-12-12 13:52:31.978745000 +0530<br clear="none">@@ -460,13 +460,13 @@<br clear="none">    Injected:            0<br clear="none"> ===============================================================================<br clear="none">
 Breakdown by protocol (includes rebuilt packets):<br clear="none">-        Eth:       394732 (100.000%)<br clear="none">+        Eth:       394733 (100.000%)<br clear="none">        VLAN:            0 (  0.000%)<br clear="none">-        IP4:       390468 ( 98.920%)<br clear="none">+        IP4:      
 390469 ( 98.920%)<br clear="none">        Frag:            0 (  0.000%)<br clear="none">        ICMP:         3034 (  0.769%)<br clear="none">         UDP:         3448 (  0.874%)<br clear="none">-        TCP:       383986 ( 97.278%)<br clear="none">+        TCP:       383987 ( 97.278%)<br clear="none">
         IP6:            0 (  0.000%)<br clear="none">     IP6 Ext:            0 (  0.000%)<br clear="none">    IP6
 Opts:            0 (  0.000%)<br clear="none">@@ -505,8 +505,8 @@<br clear="none"> Bad Chk Sum:            0 (  0.000%)<br clear="none">     Bad TTL:            0 (  0.000%)<br clear="none">      S5 G 1:          381 (  0.097%)<br clear="none">-     S5 G 2:          262 (  0.066%)<br clear="none">
-      Total:       394732<br clear="none">+     S5 G 2:          263 (  0.067%)<br clear="none">+      Total:       394733<br clear="none"> ===============================================================================<br clear="none"> Action
 Stats:<br clear="none">      Alerts:            0 (  0.000%)<br clear="none">@@ -519,10 +519,10 @@<br clear="none">       Event:            0<br clear="none">       Alert:            0<br clear="none"> Verdicts:<br clear="none">-      Allow:       388534 ( 98.590%)<br clear="none">+      Allow:       394089 (100.000%)<br clear="none">
       Block:            0 (  0.000%)<br clear="none">     Replace:            0 (  0.000%)<br clear="none">-  Whitelist:         5555 (  1.410%)<br clear="none">+ 
 Whitelist:            0 (  0.000%)<br clear="none">   Blacklist:            0 (  0.000%)<br clear="none">      Ignore:            0 (  0.000%)<br clear="none"> ===============================================================================<br clear="none">@@ -556,10 +556,10 @@<br clear="none">
 TCP StreamTrackers Deleted: 9466<br clear="none">               TCP Timeouts: 57<br clear="none">               TCP Overlaps: 7<br clear="none">-       TCP Segments Queued: 85702<br clear="none">-     TCP Segments Released: 85702<br clear="none">-       TCP Rebuilt Packets: 27267<br clear="none">-         TCP Segments Used:
 85275<br clear="none">+       TCP Segments Queued: 87295<br clear="none">+     TCP Segments Released: 87295<br clear="none">+       TCP Rebuilt Packets: 27447<br clear="none">+         TCP Segments Used: 86868<br clear="none">               TCP Discards: 24<br clear="none">                   TCP Gaps: 7693<br clear="none">
       UDP Sessions Created: 734<br clear="none">@@ -594,7 +594,7 @@<br clear="none">     HTTP Response Gzip packets extracted: 0         <br clear="none">     Gzip Compressed Data Processed:       n/a       <br clear="none">     Gzip Decompressed Data Processed:    
 n/a       <br clear="none">-    Total packets processed:              218796    <br clear="none">+    Total packets processed:              222212    <br clear="none"> ===============================================================================<br clear="none"> SMTP Preprocessor Statistics<br clear="none">
   Total sessions                                    : 524</div><div style="font-style:normal;font-size:18.6667px;background-color:transparent;font-family:times new roman, new york, times, serif;"><br clear="none"></div><div style="font-style:normal;font-size:18.6667px;background-color:transparent;font-family:times new roman, new york, times, serif;">
If I run snort a couple of more times, I see stats, a small part of which differs from the previous run.</div><div style="font-style:normal;font-size:18.6667px;background-color:transparent;font-family:times new roman, new york, times, serif;">
Could someone please explain the reason behind this ?</div><div style="font-style:normal;font-size:18.6667px;background-color:transparent;font-family:times new roman, new york, times, serif;"><br clear="none"></div><div style="font-style:normal;font-size:18.6667px;background-color:transparent;font-family:times new roman, new york, times, serif;">
Thank you.</div><span class="yiv1974238112HOEnZb"><font color="#888888"></font></span><div style="font-style:normal;font-size:18.6667px;background-color:transparent;font-family:times new roman, new york, times, serif;">Mahendra<br clear="none"></div></div>
</div></div><br clear="none">------------------------------------------------------------------------------<br clear="none">
Rapidly troubleshoot problems before they affect your business. Most IT<br clear="none">
organizations don't have a clear picture of how application performance<br clear="none">
affects their revenue. With AppDynamics, you get 100% visibility into your<br clear="none">
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!<br clear="none">
<a rel="nofollow" shape="rect" target="_blank" href="http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk">http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk</a><br clear="none">_______________________________________________<br clear="none">

Snort-users mailing list<br clear="none">
<a rel="nofollow" shape="rect" ymailto="mailto:Snort-users@...4626...ceforge.net" target="_blank" href="mailto:Snort-users@...5870....net">Snort-users@lists.sourceforge.net</a><br clear="none">
Go to this URL to change user options or unsubscribe:<br clear="none">
<a rel="nofollow" shape="rect" target="_blank" href="https://lists.sourceforge.net/lists/listinfo/snort-users">https://lists.sourceforge.net/lists/listinfo/snort-users</a><br clear="none">
Snort-users list archive:<br clear="none">
<a rel="nofollow" shape="rect" target="_blank" href="http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users">http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users</a><br clear="none">
<br clear="none">
Please visit <a rel="nofollow" shape="rect" target="_blank" href="http://blog.snort.org/">http://blog.snort.org</a> to stay current on all the latest Snort news!<br clear="none"></blockquote></div><br clear="none"></div></div></div><br><br></div>  </div> </div>  </div> </div></body></html>