Snort analysis - rule comparison

Question

There are a lot of changes from 2.9.1 to 2.9.5.6. Are these custom rules and do you have any examples of them? This is very broad and without any examples it's going to be impossible to explain why this is happening. If you provide an example of a rule that is still alerting and a rule that is no longer triggering that would be a good start.

One thing that comes to mind is if you are using the host attribute table or not, and if the rules contain "metadata service" keywords. See the snort manual for additional information (http://manual.snort.org/node22.html). If you were not using the host attributes in 2.9.1 but you are now and you do not have this properly configured, it is possible you will see this behavior. Since 17% to 0.02% is a pretty drastic change this is certainly possible.

When using the host attributes, if snort identifies a service it will then disregard the port in the rule header. For example, if you specify a rule header like the following:

drop tcp $HOME_NET any -> $EXTERNAL_NET 80

This is looking for traffic with destination port 80. If you specify "metadata service: http" in your rule and you are using the host attributes, ALL traffic that snort identifies the service as http will be sent through this rule, regardless of the destination port. This also works the other way around (if snort identifies a service on a stream it will ONLY send the packets in that stream to rules that contain the metadata service keywords that also match the services it identified). i.e. if your rule does not use "metadata service: http", and you are using host attributes, and snort identifies the flow as http it will never send that stream through your rule.

So it really depends on how snort is configured now and if the rules did not change then perhaps the preprocessors you are using changed. This is just one possible explanation, it could also be something completely different, but you did not provide enough information to determine this.