Snort mailing list archives
Re: question on --tweaks max_detect
From: "Filice II, Anthony via Snort-devel" <snort-devel () lists snort org>
Date: Mon, 27 Apr 2020 18:29:01 +0000
Did you restart your snort process? From: Snort-devel <snort-devel-bounces () lists snort org> On Behalf Of Noah Dietrich Sent: Monday, April 27, 2020 1:12 PM To: Russ Combs (rucombs) <rucombs () cisco com> Cc: snort-devel () lists snort org Subject: Re: [Snort-devel] question on --tweaks max_detect External Email: Do not click any links or open any attachments unless you trust the sender and know the content is safe. Commenting that out in max_detect didn't seem to fix the issue, I saw a few more alerts with that line commented out (43466) compared to running max_detect as originally created (43245) , but not as many as when i ran without max_detect (44564). Noah On Mon, Apr 27, 2020 at 12:13 AM Russ Combs (rucombs) <rucombs () cisco com<mailto:rucombs () cisco com>> wrote: Hi Noah, Try commenting out the below line max_detect.lua. We are planning to remove that; from security.lua as well. The default allows midstream pickups. stream_tcp.require_3whs = 0 Russ From: Snort-devel <snort-devel-bounces () lists snort org<mailto:snort-devel-bounces () lists snort org>> on behalf of Noah Dietrich <noah_dietrich () 86penny org<mailto:noah_dietrich () 86penny org>> Date: Sunday, April 26, 2020 at 1:39 PM To: "snort-devel () lists snort org<mailto:snort-devel () lists snort org>" <snort-devel () lists snort org<mailto:snort-devel () lists snort org>> Subject: [Snort-devel] question on --tweaks max_detect Hello, I have a question on the --tweaks max_detect flag. when i run it, i'm actually seeing less alerts generated as when i don't include that flag, which seems counter-intuitive. The command i'm running: sudo snort -c /usr/local/etc/snort/snort.lua -r ~/pcaps/maccdc2012_00000.pcap -A alert_fast -s 65535 -k none --tweaks max_detect my snort.lua is attached, i'm using the Registered ruleset and builtin rules on snort 3.0.1 b2, ubuntu 20 x64. with max_detect: total_alerts: 43245 runtime: 00:03:49 without max_detect: total_alerts: 44564 runtime: 00:03:51 the pcap file is from: wget https://download.netresec.com/pcap/maccdc-2012/maccdc2012_00000.pcap.gz gunzip maccdc2012_00000.pcap.gz not a big deal, but odd. Thanks Noah
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- question on --tweaks max_detect Noah Dietrich (Apr 26)
- Re: question on --tweaks max_detect Russ Combs (rucombs) via Snort-devel (Apr 26)
- Re: question on --tweaks max_detect Noah Dietrich (Apr 27)
- Re: question on --tweaks max_detect Filice II, Anthony via Snort-devel (Apr 27)
- Re: question on --tweaks max_detect Noah Dietrich (Apr 27)
- Re: question on --tweaks max_detect Noah Dietrich (Apr 28)
- Re: question on --tweaks max_detect Noah Dietrich (Apr 27)
- Re: question on --tweaks max_detect Russ Combs (rucombs) via Snort-devel (Apr 26)