Snort mailing list archives

Re: question on --tweaks max_detect

From: "Filice II, Anthony via Snort-devel" <snort-devel () lists snort org>
Date: Mon, 27 Apr 2020 18:29:01 +0000

Did you restart your snort process?

From: Snort-devel <snort-devel-bounces () lists snort org> On Behalf Of Noah Dietrich
Sent: Monday, April 27, 2020 1:12 PM
To: Russ Combs (rucombs) <rucombs () cisco com>
Cc: snort-devel () lists snort org
Subject: Re: [Snort-devel] question on --tweaks max_detect

External Email: Do not click any links or open any attachments unless you trust the sender and know the content is safe.

Commenting that out in max_detect didn't seem to fix the  issue,
I saw a few more alerts with that line commented out (43466) compared to running max_detect as originally created 
(43245) , but not as many as when i ran without max_detect  (44564).

Noah

On Mon, Apr 27, 2020 at 12:13 AM Russ Combs (rucombs) <rucombs () cisco com<mailto:rucombs () cisco com>> wrote:
Hi Noah,

Try commenting out the below line max_detect.lua.  We are planning to remove that; from security.lua as well.  The 
default allows midstream pickups.

stream_tcp.require_3whs = 0

Russ

From: Snort-devel <snort-devel-bounces () lists snort org<mailto:snort-devel-bounces () lists snort org>> on behalf of 
Noah Dietrich <noah_dietrich () 86penny org<mailto:noah_dietrich () 86penny org>>
Date: Sunday, April 26, 2020 at 1:39 PM
To: "snort-devel () lists snort org<mailto:snort-devel () lists snort org>" <snort-devel () lists snort 
org<mailto:snort-devel () lists snort org>>
Subject: [Snort-devel] question on --tweaks max_detect

Hello,

I have a question on the --tweaks max_detect flag.
when i run it, i'm actually seeing less alerts generated as when i don't include that flag, which seems 
counter-intuitive.

The command i'm running:
sudo snort -c /usr/local/etc/snort/snort.lua -r ~/pcaps/maccdc2012_00000.pcap -A alert_fast -s 65535 -k none --tweaks 
max_detect

my snort.lua is attached, i'm using the Registered ruleset and builtin rules on snort 3.0.1 b2, ubuntu 20 x64.

with max_detect:
total_alerts: 43245
runtime: 00:03:49

without max_detect:
total_alerts: 44564
runtime: 00:03:51

the pcap file is from:
wget https://download.netresec.com/pcap/maccdc-2012/maccdc2012_00000.pcap.gz
gunzip maccdc2012_00000.pcap.gz

not a big deal, but odd.
Thanks
Noah

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

question on --tweaks max_detect Noah Dietrich (Apr 26)
- Re: question on --tweaks max_detect Russ Combs (rucombs) via Snort-devel (Apr 26)
  - Re: question on --tweaks max_detect Noah Dietrich (Apr 27)
    - Re: question on --tweaks max_detect Filice II, Anthony via Snort-devel (Apr 27)
    - Re: question on --tweaks max_detect Noah Dietrich (Apr 27)
    - Re: question on --tweaks max_detect Noah Dietrich (Apr 28)