For the purpose of this analysis, we decided to use 52 log files out of the collection that is made available by SANS[9]. All the files analyzed were recorded by a Snort[16] instance running in binary logging mode. This means that only packets triggering a signature appear in the logs. This fact is going to play an important role later when we analyze the data and try to draw some conclusions.
To work with all the 52 log files, we merged them into one big tcpdump file using mergecap(1).2.2 The merging of the log files yielded 324.000 recorded packets as the following command shows:
tcpdump -nnelr /tmp/sans | wc -l 324461