Re: Snort gives different stats for different runs with the same set of inputs

[Russ Combs <rcombs () sourcefire com>]

Try adding -H to your command line and see what happens.


On Thu, Dec 12, 2013 at 3:54 AM, Mahendra Ladhe <lml108 () yahoo com> wrote:

> Hi,
>     when I run snort more than once on the same input pcap file on the
> same x86 machine
> with the same set of arguments, the stats printed are different.
>
> Output of snort -V
>
>    ,,_     -*> Snort! <*-
>   o"  )~   Version 2.9.5.6 GRE (Build 208)
>    ''''    By Martin Roesch & The Snort Team:
> http://www.snort.org/snort/snort-team
>            Copyright (C) 1998-2013 Sourcefire, Inc., et al.
>            Using libpcap version 1.0.0
>            Using PCRE version: 7.8 2008-09-05
>            Using ZLIB version: 1.2.3
>
> My command lines to invoke snort:
>
> sudo snort -c /blah/blah/snort_rules_asis/etc/snort.conf -r
> /blah/blah/LLS_DDOS_1.0-dmz.dump -k none >>~/log1 2>>~/log1
> sudo snort -c /blah/blah/snort_rules_asis/etc/snort.conf -r
> /blah/blah/LLS_DDOS_1.0-dmz.dump -k none >>~/log2 2>>~/log2
>
> I'm using the snort.conf that ships with the snort rules 2.9.5.5 as is.
>
> I'm having empty
> snort_rules_asis/rules/white_list.rules
> snort_rules_asis/rules/black_list.rules
> files.
>
> Here is the relevant part the difference between the two log files
> generated.
> $ diff u ~/log1 ~/log2
>
> --- log1    2013-12-12 13:52:31.972748000 +0530
> +++ log2    2013-12-12 13:52:31.978745000 +0530
> @@ -460,13 +460,13 @@
>     Injected:            0
>
>  ===============================================================================
>  Breakdown by protocol (includes rebuilt packets):
> -        Eth:       394732 (100.000%)
> +        Eth:       394733 (100.000%)
>         VLAN:            0 (  0.000%)
> -        IP4:       390468 ( 98.920%)
> +        IP4:       390469 ( 98.920%)
>         Frag:            0 (  0.000%)
>         ICMP:         3034 (  0.769%)
>          UDP:         3448 (  0.874%)
> -        TCP:       383986 ( 97.278%)
> +        TCP:       383987 ( 97.278%)
>          IP6:            0 (  0.000%)
>      IP6 Ext:            0 (  0.000%)
>     IP6 Opts:            0 (  0.000%)
> @@ -505,8 +505,8 @@
>  Bad Chk Sum:            0 (  0.000%)
>      Bad TTL:            0 (  0.000%)
>       S5 G 1:          381 (  0.097%)
> -     S5 G 2:          262 (  0.066%)
> -      Total:       394732
> +     S5 G 2:          263 (  0.067%)
> +      Total:       394733
>
>  ===============================================================================
>  Action Stats:
>       Alerts:            0 (  0.000%)
> @@ -519,10 +519,10 @@
>        Event:            0
>        Alert:            0
>  Verdicts:
> -      Allow:       388534 ( 98.590%)
> +      Allow:       394089 (100.000%)
>        Block:            0 (  0.000%)
>      Replace:            0 (  0.000%)
> -  Whitelist:         5555 (  1.410%)
> +  Whitelist:            0 (  0.000%)
>    Blacklist:            0 (  0.000%)
>       Ignore:            0 (  0.000%)
>
>  ===============================================================================
> @@ -556,10 +556,10 @@
>  TCP StreamTrackers Deleted: 9466
>                TCP Timeouts: 57
>                TCP Overlaps: 7
> -       TCP Segments Queued: 85702
> -     TCP Segments Released: 85702
> -       TCP Rebuilt Packets: 27267
> -         TCP Segments Used: 85275
> +       TCP Segments Queued: 87295
> +     TCP Segments Released: 87295
> +       TCP Rebuilt Packets: 27447
> +         TCP Segments Used: 86868
>                TCP Discards: 24
>                    TCP Gaps: 7693
>        UDP Sessions Created: 734
> @@ -594,7 +594,7 @@
>      HTTP Response Gzip packets extracted: 0
>      Gzip Compressed Data Processed:       n/a
>      Gzip Decompressed Data Processed:     n/a
> -    Total packets processed:              218796
> +    Total packets processed:              222212
>
>  ===============================================================================
>  SMTP Preprocessor Statistics
>    Total sessions                                    : 524
>
> If I run snort a couple of more times, I see stats, a small part of which
> differs from the previous run.
> Could someone please explain the reason behind this ?
>
> Thank you.
> Mahendra
>
>
> ------------------------------------------------------------------------------
> Rapidly troubleshoot problems before they affect your business. Most IT
> organizations don't have a clear picture of how application performance
> affects their revenue. With AppDynamics, you get 100% visibility into your
> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics
> Pro!
> http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT 
organizations don't have a clear picture of how application performance 
affects their revenue. With AppDynamics, you get 100% visibility into your 
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!