Re: Non-Determinism in Snort detection engine

[Felix Erlacher <felix.erlacher () uibk ac at>]

sshfs is for sure not the most performant way to mount remote folders.
But I am pretty sure that in this case it is not the cause for you
problem because the pcap files will be loaded to memory, before
processed by snort.

felix

On 07/07/17 14:01, Asad, Hafiz ul wrote:
> Hi,
>
> Thanks for your reply. The files are actually quite big, in hundereds of
> gigs, but I don't replay them on the network. I am using this ,
>
>
> snort --pcap-file=/path_to_pcap_file.txt  -c  snort.conf -l /var/log/snort
>
>
> However, the path to the list of pcap files, is on another machine
> having the pcap files. I am just mounting that drive through the "sshfs"
> to the machine where I am running snort. Could that be the reason?
>
>
> Asad
>
> ------------------------------------------------------------------------
> *From:* Felix Erlacher <felix.erlacher () uibk ac at>
> *Sent:* Friday, July 7, 2017 12:44:17 PM
> *To:* snort-users () lists snort org
> *Subject:* Re: [Snort-users] Non-Determinism in Snort detection engine
>  
> Hi Asad,
>
> I assume you also have the same rule files for different runs.
> How do you feed the pcap data to you Snort instance?
> Reading from a pcap file or replaying it over the network?
> How big is your pcap dump?
>
> Replaying over the network might lead to different packets being lost on
> different runs and thus leading to different results.
>
> greets
>
> felix
>
> On 07/07/17 13:37, Asad, Hafiz ul wrote:
> > > > Snort team,
> >
> > > > I have recently observed that snort, having same rules (Pre-processor
> > rules to be precise), have generated different
> > > > number of alerts for the same pcap traffic when run twice. Is there
> > any non-determinism in the snort engine or I might 
> > > > have done something wrong with the experiment?
> >
> >
> >
> > To be more precise, in the alerts data in the mysql database, different
> > packets (same source IP, destination but different IP ID) of the same
> > TCP session have been alerted by the same preprocessor rule, SID=
> > 33,GID=119,msg:http_inspect: UNESCAPED SPACE IN HTTP URI . This is after
> > I run the experiment twice for the same pcap data.
> >
> >
> > Asad
> >
> > ------------------------------------------------------------------------
> > *From:* Asad, Hafiz ul <Hafiz-ul.Asad () city ac uk>
> > *Sent:* Friday, July 7, 2017 12:11:15 PM
> > *To:* Snort-users () lists snort org; snort-users () lists sourceforge net
> > *Subject:* [Snort-users] Fw: Non-Determinism in Snort detection engine
> >  
> >
> >
> >
> >
> > ------------------------------------------------------------------------
> > *From:* Asad, Hafiz ul
> > *Sent:* Thursday, July 6, 2017 5:50 PM
> > *To:* snort-users () lists sourceforge net
> > *Subject:* Non-Determinism in Snort detection engine
> >  
> >
> > Snort team,
> >
> >
> > I have recently observed that snort, having same rules (Pre-processor
> > rules to be precise), have generated different number of alerts for the
> > same pcap traffic when run twice. Is there any non-determinism in the
> > snort engine or I might have done something wrong with the experiment?
> >
> >
> > regards
> >
> > Asad
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists snort org
> Go to this URL to change user options or unsubscribe:
> https://lists.snort.org/mailman/listinfo/snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!

-- 
Felix Erlacher

ccs-labs.org/~erlacher
Key-ID:4EAC0959


_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!