Re: Non-Determinism in Snort detection engine

["Asad, Hafiz ul" <Hafiz-ul.Asad () city ac uk>]

Thanks for your reply, but I am afraid I can't share the traffic due to confidentiality of the data I am experimenting 
with. It's actually the university pcap data which we are using for our research.Anyhow , I am re-running the analysis 
with the "-H" option and will report the results here. Meanwhile, I will be really thankful if you can suggest any 
literature to understand the working of this preprocessor or any preprocessor for that matter. Question is, do we get 
alert for a "packet" in a session, or number of "packets" in a same session. And if it is one alert per session, then 
which packet? first one?


regards

Asad

________________________________
From: Al Lewis (allewi) <allewi () cisco com>
Sent: Friday, July 7, 2017 6:36:28 PM
To: Asad, Hafiz ul; Russ Combs (rucombs); Snort-users () lists snort org
Subject: Re: [Snort-users] Non-Determinism in Snort detection engine

Hello,

Do you have an example of the traffic that you can share?


Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
SOURCEfire, Inc. now part of Cisco
Email: allewi () cisco com<mailto:allewi () cisco com>

From: Snort-users <snort-users-bounces () lists snort org<mailto:snort-users-bounces () lists snort org>> on behalf of 
"Asad, Hafiz ul" <Hafiz-ul.Asad () city ac uk<mailto:Hafiz-ul.Asad () city ac uk>>
Date: Friday, July 7, 2017 at 10:37 AM
To: "Russ Combs (rucombs)" <rucombs () cisco com<mailto:rucombs () cisco com>>, "Snort-users () lists snort 
org<mailto:Snort-users () lists snort org>" <snort-users () lists snort org<mailto:snort-users () lists snort org>>
Subject: Re: [Snort-users] Non-Determinism in Snort detection engine


A related question, if there are 10 packets in this http session (for which I got this alert), shall we get alerts for 
each packet in this session? How does this "preprocessor" rule decide which packet in the session to be alerted?


Asad

________________________________
From: Asad, Hafiz ul <Hafiz-ul.Asad () city ac uk<mailto:Hafiz-ul.Asad () city ac uk>>
Sent: Friday, July 7, 2017 2:15:53 PM
To: Russ; Snort-users () lists snort org<mailto:Snort-users () lists snort org>
Subject: Re: [Snort-users] Non-Determinism in Snort detection engine


Thanks! Just to clarify, you mean If I run the experiment again with -H option, it will give me same results repeatedly 
?

________________________________
From: Russ via Snort-users <snort-users () lists snort org<mailto:snort-users () lists snort org>>
Sent: Friday, July 7, 2017 1:42:24 PM
To: snort-users () lists snort org<mailto:snort-users () lists snort org>
Subject: Re: [Snort-users] Non-Determinism in Snort detection engine



On 7/7/17 7:56 AM, Asad, Hafiz ul wrote:

Thanks! As I am completely blank with snort engine, Can you confirm that it has some sort of non-determinism (read that 
it's engine has a non-deterministic automata)??

Yes, it does have an available NFA for fast pattern searches, but that won't cause different alerts.  -H uses fixed 
hash seeds and flush points to ensure repeatable results.

________________________________
From: Edward Borgoyn <e.c.borgoyn () ieee org><mailto:e.c.borgoyn () ieee org>
Sent: Friday, July 7, 2017 12:53:43 PM
To: Asad, Hafiz ul
Cc: Snort-users () lists snort org<mailto:Snort-users () lists snort org>; snort-users () lists sourceforge 
net<mailto:snort-users () lists sourceforge net>
Subject: Re: [Snort-users] Non-Determinism in Snort detection engine

In some situations, the -H option will remove non-deterministic behavior from Snort.

On Fri, Jul 7, 2017 at 7:49 AM, Asad, Hafiz ul <Hafiz-ul.Asad () city ac uk<mailto:Hafiz-ul.Asad () city ac uk>> wrote:

No! Here is my snort command,


snort --pcap-file=/path_to_pcap_file.txt  -c  snort.conf -l /var/log/snort


Asad

________________________________
From: Edward Borgoyn <e.c.borgoyn () ieee org<mailto:e.c.borgoyn () ieee org>>
Sent: Friday, July 7, 2017 12:45:52 PM
To: Asad, Hafiz ul
Cc: Snort-users () lists snort org<mailto:Snort-users () lists snort org>; snort-users () lists sourceforge 
net<mailto:snort-users () lists sourceforge net>
Subject: Re: [Snort-users] Non-Determinism in Snort detection engine

Are you running Snort with the -H command line option?

On Fri, Jul 7, 2017 at 7:37 AM, Asad, Hafiz ul <Hafiz-ul.Asad () city ac uk<mailto:Hafiz-ul.Asad () city ac uk>> wrote:

> > Snort team,

> > I have recently observed that snort, having same rules (Pre-processor rules to be precise), have generated different
> > number of alerts for the same pcap traffic when run twice. Is there any non-determinism in the snort engine or I 
> > might
> > have done something wrong with the experiment?



To be more precise, in the alerts data in the mysql database, different packets (same source IP, destination but 
different IP ID) of the same TCP session have been alerted by the same preprocessor rule, SID= 33,GID=119,msg: 
http_inspect: UNESCAPED SPACE IN HTTP URI . This is after I run the experiment twice for the same pcap data.


Asad

________________________________
From: Asad, Hafiz ul <Hafiz-ul.Asad () city ac uk<mailto:Hafiz-ul.Asad () city ac uk>>
Sent: Friday, July 7, 2017 12:11:15 PM
To: Snort-users () lists snort org<mailto:Snort-users () lists snort org>; snort-users () lists sourceforge 
net<mailto:snort-users () lists sourceforge net>
Subject: [Snort-users] Fw: Non-Determinism in Snort detection engine




________________________________
From: Asad, Hafiz ul
Sent: Thursday, July 6, 2017 5:50 PM
To: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>
Subject: Non-Determinism in Snort detection engine


Snort team,


I have recently observed that snort, having same rules (Pre-processor rules to be precise), have generated different 
number of alerts for the same pcap traffic when run twice. Is there any non-determinism in the snort engine or I might 
have done something wrong with the experiment?


regards

Asad

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org<mailto:Snort-users () lists snort org>
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!






_______________________________________________
Snort-users mailing list
Snort-users () lists snort org<mailto:Snort-users () lists snort org>
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!


_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!