[Snort-devel] SNORT Alert Messages

Russ rucombs at cisco.com
Sat Jun 9 08:43:38 EDT 2018


Check your shutdown counts under Limits.  Looks like you need to 
increase this:

config detection: max_queue_events

More info here:

http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node9.html#SECTION00275000000000000000

Hope that helps.
Russ

On 6/9/18 5:24 AM, İzzettin Erdem via Snort-devel wrote:
> Hello Everyone,
>
> I changed community rules with my own rules and I realize that SNORT 
> just prints alert messages maximum 5 times to console if it finds more 
> than 5 alerts. For instance, I inspect one packet's payload with 
> WireShark and wrote one rule which matches with packet's payload. I 
> wrote this rule 20 times to rule file and I ran Snort. Snort gave me 
> just 5 alert messages. How can I increase this alert count ? I am 
> working on a Project and I am a beginner. I am very pleased if you can 
> help me.
>
> Example:
>
> Rule File:
> alert tcp any any -> any any (msg:"Feature1"; content:"#JN1"; nocase; 
> sid:1)
> alert tcp any any -> any any (msg:"Feature2"; content:"#JN1"; nocase; 
> sid:2)
> alert tcp any any -> any any (msg:"Feature3"; content:"#JN1"; nocase; 
> sid:3)
> .
> .
> .
> alert tcp any any -> any any (msg:"Feature20"; content:"#JN1"; nocase; 
> sid:20)
>
> Snort Output:
> 05/-22:56:55.056993  [**] [1:2019:0] Feature2 [**] [Priority: 0] {TCP} 
> 46.20.153.125:80 <http://46.20.153.125:80> -> 10.0.2.15:56216 
> <http://10.0.2.15:56216>
> 05/-22:56:55.056993  [**] [1:2017:0] Feature4 [**]  [Priority: 0] 
> {TCP} 46.20.153.125:80 <http://46.20.153.125:80> -> 10.0.2.15:56216 
> <http://10.0.2.15:56216>
> 05/-22:56:55.056993  [**] [1:2015:0] Feature11 [**] [Priority: 0] 
> {TCP} 46.20.153.125:80 <http://46.20.153.125:80> -> 10.0.2.15:56216 
> <http://10.0.2.15:56216>
> 05/-22:56:55.056993  [**] [1:2013:0] Feature15 [**] [Priority: 0] 
> {TCP} 46.20.153.125:80 <http://46.20.153.125:80> -> 10.0.2.15:56216 
> <http://10.0.2.15:56216>
> 05/-22:56:55.056993  [**] [1:460:0] Feature18 [**]  [Priority: 0] 
> {TCP} 46.20.153.125:80 <http://46.20.153.125:80> -> 10.0.2.15:56216 
> <http://10.0.2.15:56216>
> Total Alerts: 5
>
> Expected Output:
> 05/-22:56:55.056993  [**] [1:2019:0] Feature1 [**] [Priority: 0] {TCP} 
> 46.20.153.125:80 <http://46.20.153.125:80> -> 10.0.2.15:56216 
> <http://10.0.2.15:56216>
> 05/-22:56:55.056993  [**] [1:2017:0] Feature2 [**] [Priority: 0] {TCP} 
> 46.20.153.125:80 <http://46.20.153.125:80> -> 10.0.2.15:56216 
> <http://10.0.2.15:56216>
> 05/-22:56:55.056993  [**] [1:2015:0] Feature3 [**] [Priority: 0] {TCP} 
> 46.20.153.125:80 <http://46.20.153.125:80> -> 10.0.2.15:56216 
> <http://10.0.2.15:56216>
> .
> .
> .
> 05/-22:56:55.056993  [**] [1:2013:0] Feature19 [**] [Priority: 0] 
> {TCP} 46.20.153.125:80 <http://46.20.153.125:80> -> 10.0.2.15:56216 
> <http://10.0.2.15:56216>
> 05/-22:56:55.056993  [**] [1:460:0] Feature20 [**] [Priority: 0] {TCP} 
> 46.20.153.125:80 <http://46.20.153.125:80> -> 10.0.2.15:56216 
> <http://10.0.2.15:56216>
> Total Alerts: 20
>
>
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.snort.org
> https://lists.snort.org/mailman/listinfo/snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20180609/22a7b97c/attachment-0001.html>


More information about the Snort-devel mailing list