Re: question on --tweaks max_detect

[Noah Dietrich <noah_dietrich () 86penny org>]

Commenting that out in max_detect didn't seem to fix the  issue,
I saw a few more alerts with that line commented out (43466) compared to
running max_detect as originally created (43245) , but not as many as when
i ran without max_detect  (44564).

Noah





On Mon, Apr 27, 2020 at 12:13 AM Russ Combs (rucombs) <rucombs () cisco com>
wrote:

> Hi Noah,
>
>
>
> Try commenting out the below line max_detect.lua.  We are planning to
> remove that; from security.lua as well.  The default allows midstream
> pickups.
>
>
>
> stream_tcp.require_3whs = 0
>
>
>
> Russ
>
>
>
> *From: *Snort-devel <snort-devel-bounces () lists snort org> on behalf of
> Noah Dietrich <noah_dietrich () 86penny org>
> *Date: *Sunday, April 26, 2020 at 1:39 PM
> *To: *"snort-devel () lists snort org" <snort-devel () lists snort org>
> *Subject: *[Snort-devel] question on --tweaks max_detect
>
>
>
> Hello,
>
>
>
> I have a question on the *--tweaks max_detect* flag.
>
> when i run it, i'm actually seeing less alerts generated as when i don't
> include that flag, which seems counter-intuitive.
>
>
>
> The command i'm running:
>
> sudo snort -c /usr/local/etc/snort/snort.lua -r
> ~/pcaps/maccdc2012_00000.pcap -A alert_fast -s 65535 -k none --tweaks
> max_detect
>
>
>
> my snort.lua is attached, i'm using the Registered ruleset and builtin
> rules on snort 3.0.1 b2, ubuntu 20 x64.
>
>
>
> with max_detect:
>
> total_alerts: 43245
>
> runtime: 00:03:49
>
>
>
> without max_detect:
>
> total_alerts: 44564
>
> runtime: 00:03:51
>
>
>
> the pcap file is from:
>
> wget
> https://download.netresec.com/pcap/maccdc-2012/maccdc2012_00000.pcap.gz
>
> gunzip maccdc2012_00000.pcap.gz
>
>
>
> not a big deal, but odd.
>
> Thanks
>
> Noah
_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!