Re: question on --tweaks max_detect

[Noah Dietrich <noah_dietrich () 86penny org>]

yes, each run of snort is a one-off (I'm not running as a daemon).
I'm launching an instance of snort to scan a single pcap file (so i'm
replaying the exact same traffic through snort), and then snort closes once
the pcap has been processed against ther ruleset.
i'm modifying each run of snort to test with and without the max_detect
option

thanks
Noah


On Mon, Apr 27, 2020 at 8:29 PM Filice II, Anthony <
Anthony.FiliceII () ally com> wrote:

> Did you restart your snort process?
>
>
>
> *From:* Snort-devel <snort-devel-bounces () lists snort org> *On Behalf Of *Noah
> Dietrich
> *Sent:* Monday, April 27, 2020 1:12 PM
> *To:* Russ Combs (rucombs) <rucombs () cisco com>
> *Cc:* snort-devel () lists snort org
> *Subject:* Re: [Snort-devel] question on --tweaks max_detect
>
>
>
> *External Email:* Do not click any links or open any attachments unless
> you trust the sender and know the content is safe.
>
> Commenting that out in max_detect didn't seem to fix the  issue,
>
> I saw a few more alerts with that line commented out (43466) compared to
> running max_detect as originally created (43245) , but not as many as
> when i ran without max_detect  (44564).
>
>
>
> Noah
>
>
>
>
>
>
>
>
>
>
>
> On Mon, Apr 27, 2020 at 12:13 AM Russ Combs (rucombs) <rucombs () cisco com>
> wrote:
>
> Hi Noah,
>
>
>
> Try commenting out the below line max_detect.lua.  We are planning to
> remove that; from security.lua as well.  The default allows midstream
> pickups.
>
>
>
> stream_tcp.require_3whs = 0
>
>
>
> Russ
>
>
>
> *From: *Snort-devel <snort-devel-bounces () lists snort org> on behalf of
> Noah Dietrich <noah_dietrich () 86penny org>
> *Date: *Sunday, April 26, 2020 at 1:39 PM
> *To: *"snort-devel () lists snort org" <snort-devel () lists snort org>
> *Subject: *[Snort-devel] question on --tweaks max_detect
>
>
>
> Hello,
>
>
>
> I have a question on the *--tweaks max_detect* flag.
>
> when i run it, i'm actually seeing less alerts generated as when i don't
> include that flag, which seems counter-intuitive.
>
>
>
> The command i'm running:
>
> sudo snort -c /usr/local/etc/snort/snort.lua -r
> ~/pcaps/maccdc2012_00000.pcap -A alert_fast -s 65535 -k none --tweaks
> max_detect
>
>
>
> my snort.lua is attached, i'm using the Registered ruleset and builtin
> rules on snort 3.0.1 b2, ubuntu 20 x64.
>
>
>
> with max_detect:
>
> total_alerts: 43245
>
> runtime: 00:03:49
>
>
>
> without max_detect:
>
> total_alerts: 44564
>
> runtime: 00:03:51
>
>
>
> the pcap file is from:
>
> wget
> https://download.netresec.com/pcap/maccdc-2012/maccdc2012_00000.pcap.gz
>
> gunzip maccdc2012_00000.pcap.gz
>
>
>
> not a big deal, but odd.
>
> Thanks
>
> Noah
_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!