Snort mailing list archives
Re: Issues in changing max_queue_events value
From: Russ <rucombs () cisco com>
Date: Thu, 1 Jun 2017 06:38:29 -0400
Look for this in src/fpdetect.h: #define MAX_EVENT_MATCH 100The lesser of max_queue_events and MAX_EVENT_MATCH is the effective upper bound.
That said it is a little unusual to have so many rules firing on the same packet.
On 5/30/17 11:42 AM, Navdeep Uniyal wrote:
Dear Users, I have been trying to experiment with 200 alerts for snort. But the issue is while I am increasing the max_queue_events value to 300, it is getting default to 100. As per snort output.... Action Stats: Alerts: 100 (9998.500%) Logged: 100 (9998.500%) Passed: 0 ( 0.000%) Limits: Match: 100 Queue: 0 Log: 0 Event: 0 Alert: 0 Which means that it is alerting for 100 rules, whereas other 100 rules are matching but are ignored. As per snort manual, max_queue_events handle this factor, which I am already changing. Please if you could help me in this regard. PFA the snort file. Best Regards, Navdeep ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Issues in changing max_queue_events value Navdeep Uniyal (May 30)
- Re: Issues in changing max_queue_events value Russ (Jun 01)