Snort mailing list archives
question on --tweaks max_detect
From: Noah Dietrich <noah_dietrich () 86penny org>
Date: Sun, 26 Apr 2020 19:37:26 +0200
Hello, I have a question on the *--tweaks max_detect* flag. when i run it, i'm actually seeing less alerts generated as when i don't include that flag, which seems counter-intuitive. The command i'm running: sudo snort -c /usr/local/etc/snort/snort.lua -r ~/pcaps/maccdc2012_00000.pcap -A alert_fast -s 65535 -k none --tweaks max_detect my snort.lua is attached, i'm using the Registered ruleset and builtin rules on snort 3.0.1 b2, ubuntu 20 x64. with max_detect: total_alerts: 43245 runtime: 00:03:49 without max_detect: total_alerts: 44564 runtime: 00:03:51 the pcap file is from: wget https://download.netresec.com/pcap/maccdc-2012/maccdc2012_00000.pcap.gz gunzip maccdc2012_00000.pcap.gz not a big deal, but odd. Thanks Noah
Attachment:
snort.lua
Description:
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- question on --tweaks max_detect Noah Dietrich (Apr 26)
- Re: question on --tweaks max_detect Russ Combs (rucombs) via Snort-devel (Apr 26)
- Re: question on --tweaks max_detect Noah Dietrich (Apr 27)
- Re: question on --tweaks max_detect Filice II, Anthony via Snort-devel (Apr 27)
- Re: question on --tweaks max_detect Noah Dietrich (Apr 27)
- Re: question on --tweaks max_detect Noah Dietrich (Apr 28)
- Re: question on --tweaks max_detect Noah Dietrich (Apr 27)
- Re: question on --tweaks max_detect Russ Combs (rucombs) via Snort-devel (Apr 26)