Re: Snort-devel Digest, Vol 13, Issue 4

[İzzettin Erdem via Snort-devel <snort-devel () lists snort org>]

Hello Everyone,

I changed Snort' s config file and problem solved!. Thank you very much
Russ.

Old config file: (line 200)
config event_queue: max_queue 8 log 4 order_events content_length

New confg file: (line 200-201)
config event_queue: max_queue 8 log 2000 order_events content_length
config detection: max_queue_events 50000

I just changed "... log 4 ..." to "... log 2000 ..." and I add "config
detection: max_queue_events 50000" line. It works fine now. Thanks again
everyone!.



2018-06-09 15:43 GMT+03:00 <snort-devel-request () lists snort org>:

> Send Snort-devel mailing list submissions to
>         snort-devel () lists snort org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://lists.snort.org/mailman/listinfo/snort-devel
> or, via email, send a message with subject or body 'help' to
>         snort-devel-request () lists snort org
>
> You can reach the person managing the list at
>         snort-devel-owner () lists snort org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Snort-devel digest..."
>
>
> Today's Topics:
>
>    1. SNORT Alert Messages (?zzettin Erdem)
>    2. Re: SNORT Alert Messages (Marcin Dulak)
>    3. Re: SNORT Alert Messages (Russ)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sat, 9 Jun 2018 12:24:12 +0300
> From: ?zzettin Erdem <root.mch () gmail com>
> To: snort-devel () lists snort org
> Subject: [Snort-devel] SNORT Alert Messages
> Message-ID:
>         <CAN_SLJUJ0_tcJumFSH8GE1U3J83xgzdPCm+
> PPJ3FKA8td+QcpQ () mail gmail com>
> Content-Type: text/plain; charset="utf-8"
>
> Hello Everyone,
>
> I changed community rules with my own rules and I realize that SNORT just
> prints alert messages maximum 5 times to console if it finds more than 5
> alerts. For instance, I inspect one packet's payload with WireShark and
> wrote one rule which matches with packet's payload. I wrote this rule 20
> times to rule file and I ran Snort. Snort gave me just 5 alert messages.
> How can I increase this alert count ? I am working on a Project and I am a
> beginner. I am very pleased if you can help me.
>
> Example:
>
> Rule File:
> alert tcp any any -> any any (msg:"Feature1"; content:"#JN1"; nocase;
> sid:1)
> alert tcp any any -> any any (msg:"Feature2"; content:"#JN1"; nocase;
> sid:2)
> alert tcp any any -> any any (msg:"Feature3"; content:"#JN1"; nocase;
> sid:3)
> .
> .
> .
> alert tcp any any -> any any (msg:"Feature20"; content:"#JN1"; nocase;
> sid:20)
>
> Snort Output:
> 05/-22:56:55.056993  [**] [1:2019:0] Feature2 [**]  [Priority: 0] {TCP}
> 46.20.153.125:80 -> 10.0.2.15:56216
> 05/-22:56:55.056993  [**] [1:2017:0] Feature4 [**]  [Priority: 0] {TCP}
> 46.20.153.125:80 -> 10.0.2.15:56216
> 05/-22:56:55.056993  [**] [1:2015:0] Feature11 [**]  [Priority: 0] {TCP}
> 46.20.153.125:80 -> 10.0.2.15:56216
> 05/-22:56:55.056993  [**] [1:2013:0] Feature15 [**]  [Priority: 0] {TCP}
> 46.20.153.125:80 -> 10.0.2.15:56216
> 05/-22:56:55.056993  [**] [1:460:0] Feature18 [**]  [Priority: 0] {TCP}
> 46.20.153.125:80 -> 10.0.2.15:56216
> Total Alerts: 5
>
> Expected Output:
> 05/-22:56:55.056993  [**] [1:2019:0] Feature1 [**]  [Priority: 0] {TCP}
> 46.20.153.125:80 -> 10.0.2.15:56216
> 05/-22:56:55.056993  [**] [1:2017:0] Feature2 [**]  [Priority: 0] {TCP}
> 46.20.153.125:80 -> 10.0.2.15:56216
> 05/-22:56:55.056993  [**] [1:2015:0] Feature3 [**]  [Priority: 0] {TCP}
> 46.20.153.125:80 -> 10.0.2.15:56216
> .
> .
> .
> 05/-22:56:55.056993  [**] [1:2013:0] Feature19 [**]  [Priority: 0] {TCP}
> 46.20.153.125:80 -> 10.0.2.15:56216
> 05/-22:56:55.056993  [**] [1:460:0] Feature20 [**]  [Priority: 0] {TCP}
> 46.20.153.125:80 -> 10.0.2.15:56216
> Total Alerts: 20
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <https://lists.snort.org/pipermail/snort-devel/
> attachments/20180609/90c18109/attachment-0001.html>
>
> ------------------------------
>
> Message: 2
> Date: Sat, 9 Jun 2018 13:06:03 +0200
> From: Marcin Dulak <marcin.dulak () gmail com>
> To: ?zzettin Erdem <root.mch () gmail com>
> Cc: snort-devel () lists snort org
> Subject: Re: [Snort-devel] SNORT Alert Messages
> Message-ID:
>         <CABJoABZMFDy5yBuaAk7W4w+B5=9d7TO96SDTURHtFbHBrENRYQ@mail.
> gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> On Sat, Jun 9, 2018 at 11:24 AM, ?zzettin Erdem via Snort-devel <
> snort-devel () lists snort org> wrote:
>
> > Hello Everyone,
> >
> > I changed community rules with my own rules and I realize that SNORT just
> > prints alert messages maximum 5 times to console if it finds more than 5
> > alerts. For instance, I inspect one packet's payload with WireShark and
> > wrote one rule which matches with packet's payload. I wrote this rule 20
> > times to rule file and I ran Snort. Snort gave me just 5 alert messages.
> > How can I increase this alert count ? I am working on a Project and I am
> a
> > beginner. I am very pleased if you can help me.
> >
> > Example:
> >
> > Rule File:
> > alert tcp any any -> any any (msg:"Feature1"; content:"#JN1"; nocase;
> > sid:1)
> > alert tcp any any -> any any (msg:"Feature2"; content:"#JN1"; nocase;
> > sid:2)
> > alert tcp any any -> any any (msg:"Feature3"; content:"#JN1"; nocase;
> > sid:3)
> > .
> > .
> > .
> > alert tcp any any -> any any (msg:"Feature20"; content:"#JN1"; nocase;
> > sid:20)
> >
> > Snort Output:
> > 05/-22:56:55.056993  [**] [1:2019:0] Feature2 [**]  [Priority: 0] {TCP}
> > 46.20.153.125:80 -> 10.0.2.15:56216
>
> the [gid:sid:revision] https://www.snort.org/rule_docs/1-2019 do not
> correspond to your alert settings above. Is this a real snort output?
>
> Marcin
>
>
> > 05/-22:56:55.056993  [**] [1:2017:0] Feature4 [**]  [Priority: 0] {TCP}
> > 46.20.153.125:80 -> 10.0.2.15:56216
> > 05/-22:56:55.056993  [**] [1:2015:0] Feature11 [**]  [Priority: 0] {TCP}
> > 46.20.153.125:80 -> 10.0.2.15:56216
> > 05/-22:56:55.056993  [**] [1:2013:0] Feature15 [**]  [Priority: 0] {TCP}
> > 46.20.153.125:80 -> 10.0.2.15:56216
> > 05/-22:56:55.056993  [**] [1:460:0] Feature18 [**]  [Priority: 0] {TCP}
> > 46.20.153.125:80 -> 10.0.2.15:56216
> > Total Alerts: 5
> >
> > Expected Output:
> > 05/-22:56:55.056993  [**] [1:2019:0] Feature1 [**]  [Priority: 0] {TCP}
> > 46.20.153.125:80 -> 10.0.2.15:56216
> > 05/-22:56:55.056993  [**] [1:2017:0] Feature2 [**]  [Priority: 0] {TCP}
> > 46.20.153.125:80 -> 10.0.2.15:56216
> > 05/-22:56:55.056993  [**] [1:2015:0] Feature3 [**]  [Priority: 0] {TCP}
> > 46.20.153.125:80 -> 10.0.2.15:56216
> > .
> > .
> > .
> > 05/-22:56:55.056993  [**] [1:2013:0] Feature19 [**]  [Priority: 0] {TCP}
> > 46.20.153.125:80 -> 10.0.2.15:56216
> > 05/-22:56:55.056993  [**] [1:460:0] Feature20 [**]  [Priority: 0] {TCP}
> > 46.20.153.125:80 -> 10.0.2.15:56216
> > Total Alerts: 20
> >
> >
> > _______________________________________________
> > Snort-devel mailing list
> > Snort-devel () lists snort org
> > https://lists.snort.org/mailman/listinfo/snort-devel
> >
> > Please visit http://blog.snort.org for the latest news about Snort!
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <https://lists.snort.org/pipermail/snort-devel/
> attachments/20180609/23a1309c/attachment-0001.html>
>
> ------------------------------
>
> Message: 3
> Date: Sat, 9 Jun 2018 08:43:38 -0400
> From: Russ <rucombs () cisco com>
> To: snort-devel () lists snort org
> Subject: Re: [Snort-devel] SNORT Alert Messages
> Message-ID: <8e14c0c0-a924-4afa-ee1d-fa6a3b9687ed () cisco com>
> Content-Type: text/plain; charset="utf-8"; Format="flowed"
>
> Check your shutdown counts under Limits.? Looks like you need to
> increase this:
>
> config detection: max_queue_events
>
> More info here:
>
> http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node9.html#
> SECTION00275000000000000000
>
> Hope that helps.
> Russ
>
> On 6/9/18 5:24 AM, ?zzettin Erdem via Snort-devel wrote:
> > Hello Everyone,
> >
> > I changed community rules with my own rules and I realize that SNORT
> > just prints alert messages maximum 5 times to console if it finds more
> > than 5 alerts. For instance, I inspect one packet's payload with
> > WireShark and wrote one rule which matches with packet's payload. I
> > wrote this rule 20 times to rule file and I ran Snort. Snort gave me
> > just 5 alert messages. How can I increase this alert count ? I am
> > working on a Project and I am a beginner. I am very pleased if you can
> > help me.
> >
> > Example:
> >
> > Rule File:
> > alert tcp any any -> any any (msg:"Feature1"; content:"#JN1"; nocase;
> > sid:1)
> > alert tcp any any -> any any (msg:"Feature2"; content:"#JN1"; nocase;
> > sid:2)
> > alert tcp any any -> any any (msg:"Feature3"; content:"#JN1"; nocase;
> > sid:3)
> > .
> > .
> > .
> > alert tcp any any -> any any (msg:"Feature20"; content:"#JN1"; nocase;
> > sid:20)
> >
> > Snort Output:
> > 05/-22:56:55.056993? [**] [1:2019:0] Feature2 [**] [Priority: 0] {TCP}
> > 46.20.153.125:80 <http://46.20.153.125:80> -> 10.0.2.15:56216
> > <http://10.0.2.15:56216>
> > 05/-22:56:55.056993? [**] [1:2017:0] Feature4 [**]? [Priority: 0]
> > {TCP} 46.20.153.125:80 <http://46.20.153.125:80> -> 10.0.2.15:56216
> > <http://10.0.2.15:56216>
> > 05/-22:56:55.056993? [**] [1:2015:0] Feature11 [**] [Priority: 0]
> > {TCP} 46.20.153.125:80 <http://46.20.153.125:80> -> 10.0.2.15:56216
> > <http://10.0.2.15:56216>
> > 05/-22:56:55.056993? [**] [1:2013:0] Feature15 [**] [Priority: 0]
> > {TCP} 46.20.153.125:80 <http://46.20.153.125:80> -> 10.0.2.15:56216
> > <http://10.0.2.15:56216>
> > 05/-22:56:55.056993? [**] [1:460:0] Feature18 [**]? [Priority: 0]
> > {TCP} 46.20.153.125:80 <http://46.20.153.125:80> -> 10.0.2.15:56216
> > <http://10.0.2.15:56216>
> > Total Alerts: 5
> >
> > Expected Output:
> > 05/-22:56:55.056993? [**] [1:2019:0] Feature1 [**] [Priority: 0] {TCP}
> > 46.20.153.125:80 <http://46.20.153.125:80> -> 10.0.2.15:56216
> > <http://10.0.2.15:56216>
> > 05/-22:56:55.056993? [**] [1:2017:0] Feature2 [**] [Priority: 0] {TCP}
> > 46.20.153.125:80 <http://46.20.153.125:80> -> 10.0.2.15:56216
> > <http://10.0.2.15:56216>
> > 05/-22:56:55.056993? [**] [1:2015:0] Feature3 [**] [Priority: 0] {TCP}
> > 46.20.153.125:80 <http://46.20.153.125:80> -> 10.0.2.15:56216
> > <http://10.0.2.15:56216>
> > .
> > .
> > .
> > 05/-22:56:55.056993? [**] [1:2013:0] Feature19 [**] [Priority: 0]
> > {TCP} 46.20.153.125:80 <http://46.20.153.125:80> -> 10.0.2.15:56216
> > <http://10.0.2.15:56216>
> > 05/-22:56:55.056993? [**] [1:460:0] Feature20 [**] [Priority: 0] {TCP}
> > 46.20.153.125:80 <http://46.20.153.125:80> -> 10.0.2.15:56216
> > <http://10.0.2.15:56216>
> > Total Alerts: 20
> >
> >
> >
> > _______________________________________________
> > Snort-devel mailing list
> > Snort-devel () lists snort org
> > https://lists.snort.org/mailman/listinfo/snort-devel
> >
> > Please visit http://blog.snort.org for the latest news about Snort!
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <https://lists.snort.org/pipermail/snort-devel/
> attachments/20180609/22a7b97c/attachment.html>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel () lists snort org
> https://lists.snort.org/mailman/listinfo/snort-devel
>
>
> ------------------------------
>
> End of Snort-devel Digest, Vol 13, Issue 4
> ******************************************
_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!