Snort mailing list archives
SNORT Alert Configuration
From: Furkan Çelik via Snort-devel <snort-devel () lists snort org>
Date: Thu, 14 Jun 2018 10:57:46 +0300
Hello everyone,
When i give a pcap file to SNORT, maximum 5 alerts were displaying. So i
configurated snort.conf file and changed the max_queue_events and log
parameters value. (It was 5 by default.) I increased the value to 1000, and
i noticed that even i change the value the maximum number of logs
displaying was 100. I wanted to know that is there any other parameter that
i need to change? How can i see every alerts on terminal?
Another question is that, as a solution of first question i edited
snort.conf file and uncommented "config profile_rules: print all, sort
matches, filename /home/ubuntu/output.txt append" line. (It was commented
by default.) When i run " sudo snort -A console -q -c /etc/snort/snort.conf
-r sample.pcap" command, even the rule matches with the packet it does not
give an alert. I wanted to know why it doesn't give an alert?
As an example of second question when i run " sudo snort -A console -q -c
/etc/snort/snort.conf -r sample.pcap" command, the output is like this:
timestamp: 1528957146
Rule Profile Statistics (worst 4950 rules)
==========================================================
Num SID GID Rev Checks Matches Alerts Microsecs
Avg/Check Avg/Match Avg/Nonmatch Disabled
=== === === === ====== ======= ====== =========
========= ========= ============ ========
1 1660 1 0 16 2 1
34 2.2 17.3 0.0 0
2 1666 1 0 16 2 1
34 2.2 17.4 0.0 0
3 1482 1 0 1 1 0
1 1.5 1.5 0.0 0
4 1024 1 0 1 1 0
1 1.8 1.8 0.0 0
5 1763 1 0 1 1 1
1 1.9 1.9 0.0 0
6 1233 1 0 1 1 1
1 1.7 1.7 0.0 0
7 1612 1 0 1 1 1
2 2.3 2.3 0.0 0
8 1370 1 0 1 1 1
2 2.4 2.4 0.0 0
9 1375 1 0 1 1 0
2 2.7 2.7 0.0 0.
. .
. .
. .
. .
238 2160 1 0 1 0 0
0 0.7 0.0 0.7 0
239 17 1 0 1 0 0
0 0.7 0.0 0.7 0
240 381 1 0 14 0 0
1 0.1 0.0 0.1 0
241 2162 1 0 1 0 0
0 0.3 0.0 0.3 0
242 380 1 0 14 0 0
1 0.1 0.0 0.1 0
243 2141 1 0 1 0 0
0 0.3 0.0 0.3 0
244 2167 1 0 1 0 0
0 0.7 0.0 0.7 0
245 285 1 0 14 0 0
2 0.2 0.0 0.2 0
If you look at the line 3 and 4, as it can be seen there are matches but no
alerts. Why? Thanks.
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- SNORT Alert Configuration Furkan Çelik via Snort-devel (Jun 14)