Re: Non-Determinism in Snort detection engine

["Asad, Hafiz ul" <Hafiz-ul.Asad () city ac uk>]

> > Snort team,

> > I have recently observed that snort, having same rules (Pre-processor rules to be precise), have generated different
> > number of alerts for the same pcap traffic when run twice. Is there any non-determinism in the snort engine or I 
> > might
> > have done something wrong with the experiment?



To be more precise, in the alerts data in the mysql database, different packets (same source IP, destination but 
different IP ID) of the same TCP session have been alerted by the same preprocessor rule, SID= 33,GID=119,msg: 
http_inspect: UNESCAPED SPACE IN HTTP URI . This is after I run the experiment twice for the same pcap data.


Asad

________________________________
From: Asad, Hafiz ul <Hafiz-ul.Asad () city ac uk>
Sent: Friday, July 7, 2017 12:11:15 PM
To: Snort-users () lists snort org; snort-users () lists sourceforge net
Subject: [Snort-users] Fw: Non-Determinism in Snort detection engine




________________________________
From: Asad, Hafiz ul
Sent: Thursday, July 6, 2017 5:50 PM
To: snort-users () lists sourceforge net
Subject: Non-Determinism in Snort detection engine


Snort team,


I have recently observed that snort, having same rules (Pre-processor rules to be precise), have generated different 
number of alerts for the same pcap traffic when run twice. Is there any non-determinism in the snort engine or I might 
have done something wrong with the experiment?


regards

Asad

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!