Snort mailing list archives
Re: Setting max_queue to 1
From: Beenish Raza <beenish.raza () hotmail com>
Date: Sat, 24 May 2014 01:54:04 +0500
Please guide me. I am making these changes in snort.conf config event_queue: max_queue 1 log 1 order_events content_lengthRun commands to ensure that config file has no errors but still snort is reporting more than 1 match against the same packet. From: beenish.raza () hotmail com To: snort-users () lists sourceforge net Date: Thu, 22 May 2014 23:52:56 +0500 Subject: [Snort-users] Setting max_queue to 1 I want to report only 1 rule matched per packet. Like, if a packet matches multiple rules then it should report or log just one rule against which it matched. From what I understand uptill now is that you have to make changes in snort.conf file. I changed this line of snort.conf config event_queue: max_queue 8 log 3 order_events content_length with config event_queue: max_queue 1 log 1 order_events content_length and save this file. But now when I run the pcap file , again it reports multiple matches against the single packet. What else I need to do to make this work? After making changes in snort.conf I did this: snort restart but it gave me this error: Can't see DAQ BPF filter to 'restart' ------------------------------------------------------------------------------ "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available Simple to use. Nothing to install. Get started now for free." http://p.sf.net/sfu/SauceLabs _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available Simple to use. Nothing to install. Get started now for free." http://p.sf.net/sfu/SauceLabs
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Setting max_queue to 1 Beenish Raza (May 22)
- Re: Setting max_queue to 1 Beenish Raza (May 23)