Missing Snort Alerts

There is still one issue we have not resolved. Why are there about 324461 log entries, but for about 70,000 of them we were not able to generate a snort alert. Out of these 70,000 events, more than 69.000 are related to Web traffic (targeting or originating from port 80).

There are multiple possible reasons for this:

• Our snort rules were different, either because the original snort was tuned, custom signatures were used or the signatures got updated over time.
• We did not have the same settings for the preprocessors or originally, other preprocessors were used.
• We set the HOME_NET or other variables differently.