Snort mailing list archives
Re: question on --tweaks max_detect
From: Noah Dietrich <noah_dietrich () 86penny org>
Date: Mon, 27 Apr 2020 20:32:24 +0200
yes, each run of snort is a one-off (I'm not running as a daemon). I'm launching an instance of snort to scan a single pcap file (so i'm replaying the exact same traffic through snort), and then snort closes once the pcap has been processed against ther ruleset. i'm modifying each run of snort to test with and without the max_detect option thanks Noah On Mon, Apr 27, 2020 at 8:29 PM Filice II, Anthony < Anthony.FiliceII () ally com> wrote:
Did you restart your snort process? *From:* Snort-devel <snort-devel-bounces () lists snort org> *On Behalf Of *Noah Dietrich *Sent:* Monday, April 27, 2020 1:12 PM *To:* Russ Combs (rucombs) <rucombs () cisco com> *Cc:* snort-devel () lists snort org *Subject:* Re: [Snort-devel] question on --tweaks max_detect *External Email:* Do not click any links or open any attachments unless you trust the sender and know the content is safe. Commenting that out in max_detect didn't seem to fix the issue, I saw a few more alerts with that line commented out (43466) compared to running max_detect as originally created (43245) , but not as many as when i ran without max_detect (44564). Noah On Mon, Apr 27, 2020 at 12:13 AM Russ Combs (rucombs) <rucombs () cisco com> wrote: Hi Noah, Try commenting out the below line max_detect.lua. We are planning to remove that; from security.lua as well. The default allows midstream pickups. stream_tcp.require_3whs = 0 Russ *From: *Snort-devel <snort-devel-bounces () lists snort org> on behalf of Noah Dietrich <noah_dietrich () 86penny org> *Date: *Sunday, April 26, 2020 at 1:39 PM *To: *"snort-devel () lists snort org" <snort-devel () lists snort org> *Subject: *[Snort-devel] question on --tweaks max_detect Hello, I have a question on the *--tweaks max_detect* flag. when i run it, i'm actually seeing less alerts generated as when i don't include that flag, which seems counter-intuitive. The command i'm running: sudo snort -c /usr/local/etc/snort/snort.lua -r ~/pcaps/maccdc2012_00000.pcap -A alert_fast -s 65535 -k none --tweaks max_detect my snort.lua is attached, i'm using the Registered ruleset and builtin rules on snort 3.0.1 b2, ubuntu 20 x64. with max_detect: total_alerts: 43245 runtime: 00:03:49 without max_detect: total_alerts: 44564 runtime: 00:03:51 the pcap file is from: wget https://download.netresec.com/pcap/maccdc-2012/maccdc2012_00000.pcap.gz gunzip maccdc2012_00000.pcap.gz not a big deal, but odd. Thanks Noah
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- question on --tweaks max_detect Noah Dietrich (Apr 26)
- Re: question on --tweaks max_detect Russ Combs (rucombs) via Snort-devel (Apr 26)
- Re: question on --tweaks max_detect Noah Dietrich (Apr 27)
- Re: question on --tweaks max_detect Filice II, Anthony via Snort-devel (Apr 27)
- Re: question on --tweaks max_detect Noah Dietrich (Apr 27)
- Re: question on --tweaks max_detect Noah Dietrich (Apr 28)
- Re: question on --tweaks max_detect Noah Dietrich (Apr 27)
- Re: question on --tweaks max_detect Russ Combs (rucombs) via Snort-devel (Apr 26)