Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Issues in changing max_queue_events value

From: Russ <rucombs () cisco com>
Date: Thu, 1 Jun 2017 06:38:29 -0400
Look for this in src/fpdetect.h:

#define MAX_EVENT_MATCH 100
The lesser of max_queue_events and MAX_EVENT_MATCH is the effective upper bound.
That said it is a little unusual to have so many rules firing on the same packet. 

On 5/30/17 11:42 AM, Navdeep Uniyal wrote:

Dear Users,

I have been trying to experiment with 200 alerts for snort. But the issue is while I am increasing the max_queue_events 
value to 300, it is getting default to 100.

As per snort output....

Action Stats:
      Alerts:      100 (9998.500%)
      Logged:      100 (9998.500%)
      Passed:            0 (  0.000%)
Limits:
       Match:      100
       Queue:       0
         Log:            0
       Event:         0
       Alert:           0


Which means that it is alerting for 100 rules, whereas other 100 rules are matching but are ignored. As per snort 
manual,  max_queue_events handle this factor, which I am already changing. Please if you could help me in this regard.

PFA the snort file.



Best Regards,
Navdeep

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: