Snort mailing list archives
Re: SNORT Alert Messages
From: Russ via Snort-devel <snort-devel () lists snort org>
Date: Sat, 9 Jun 2018 08:43:38 -0400
Check your shutdown counts under Limits. Looks like you need to increase this:
config detection: max_queue_events More info here: http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node9.html#SECTION00275000000000000000 Hope that helps. Russ On 6/9/18 5:24 AM, İzzettin Erdem via Snort-devel wrote:
Hello Everyone,I changed community rules with my own rules and I realize that SNORT just prints alert messages maximum 5 times to console if it finds more than 5 alerts. For instance, I inspect one packet's payload with WireShark and wrote one rule which matches with packet's payload. I wrote this rule 20 times to rule file and I ran Snort. Snort gave me just 5 alert messages. How can I increase this alert count ? I am working on a Project and I am a beginner. I am very pleased if you can help me.Example: Rule File:alert tcp any any -> any any (msg:"Feature1"; content:"#JN1"; nocase; sid:1) alert tcp any any -> any any (msg:"Feature2"; content:"#JN1"; nocase; sid:2) alert tcp any any -> any any (msg:"Feature3"; content:"#JN1"; nocase; sid:3). . .alert tcp any any -> any any (msg:"Feature20"; content:"#JN1"; nocase; sid:20)Snort Output:05/-22:56:55.056993 [**] [1:2019:0] Feature2 [**] [Priority: 0] {TCP} 46.20.153.125:80 <http://46.20.153.125:80> -> 10.0.2.15:56216 <http://10.0.2.15:56216> 05/-22:56:55.056993 [**] [1:2017:0] Feature4 [**] [Priority: 0] {TCP} 46.20.153.125:80 <http://46.20.153.125:80> -> 10.0.2.15:56216 <http://10.0.2.15:56216> 05/-22:56:55.056993 [**] [1:2015:0] Feature11 [**] [Priority: 0] {TCP} 46.20.153.125:80 <http://46.20.153.125:80> -> 10.0.2.15:56216 <http://10.0.2.15:56216> 05/-22:56:55.056993 [**] [1:2013:0] Feature15 [**] [Priority: 0] {TCP} 46.20.153.125:80 <http://46.20.153.125:80> -> 10.0.2.15:56216 <http://10.0.2.15:56216> 05/-22:56:55.056993 [**] [1:460:0] Feature18 [**] [Priority: 0] {TCP} 46.20.153.125:80 <http://46.20.153.125:80> -> 10.0.2.15:56216 <http://10.0.2.15:56216>Total Alerts: 5 Expected Output:05/-22:56:55.056993 [**] [1:2019:0] Feature1 [**] [Priority: 0] {TCP} 46.20.153.125:80 <http://46.20.153.125:80> -> 10.0.2.15:56216 <http://10.0.2.15:56216> 05/-22:56:55.056993 [**] [1:2017:0] Feature2 [**] [Priority: 0] {TCP} 46.20.153.125:80 <http://46.20.153.125:80> -> 10.0.2.15:56216 <http://10.0.2.15:56216> 05/-22:56:55.056993 [**] [1:2015:0] Feature3 [**] [Priority: 0] {TCP} 46.20.153.125:80 <http://46.20.153.125:80> -> 10.0.2.15:56216 <http://10.0.2.15:56216>. . .05/-22:56:55.056993 [**] [1:2013:0] Feature19 [**] [Priority: 0] {TCP} 46.20.153.125:80 <http://46.20.153.125:80> -> 10.0.2.15:56216 <http://10.0.2.15:56216> 05/-22:56:55.056993 [**] [1:460:0] Feature20 [**] [Priority: 0] {TCP} 46.20.153.125:80 <http://46.20.153.125:80> -> 10.0.2.15:56216 <http://10.0.2.15:56216>Total Alerts: 20 _______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- SNORT Alert Messages İzzettin Erdem via Snort-devel (Jun 09)
- Re: SNORT Alert Messages Marcin Dulak via Snort-devel (Jun 09)
- Re: SNORT Alert Messages Russ via Snort-devel (Jun 09)
- <Possible follow-ups>
- SNORT Alert Messages İzzettin Erdem via Snort-devel (Jun 09)
- Re: SNORT Alert Messages Y M via Snort-devel (Jun 09)
- Re: SNORT Alert Messages Y M via Snort-devel (Jun 09)
- Re: SNORT Alert Messages Russ via Snort-devel (Jun 09)
- Re: SNORT Alert Messages Y M via Snort-devel (Jun 09)