[Snort-devel] SNORT Alert Configuration

Furkan Çelik furkancelik.yalova at gmail.com
Thu Jun 14 03:57:46 EDT 2018


 Hello everyone,

When i give a pcap file to SNORT, maximum 5 alerts were displaying. So i
configurated snort.conf file and changed the max_queue_events and log
parameters value. (It was 5 by default.) I increased the value to 1000, and
i noticed that even i change the value the maximum number of logs
displaying was 100. I wanted to know that is there any other parameter that
i need to change? How can i see every alerts on terminal?

Another question is that, as a solution of first question i edited
snort.conf file and uncommented "config profile_rules: print all, sort
matches, filename /home/ubuntu/output.txt append" line. (It was commented
by default.) When i run " sudo snort -A console -q -c /etc/snort/snort.conf
-r sample.pcap" command, even the rule matches with the packet it does not
give an alert. I wanted to know why it doesn't give an alert?

As an example of second question when i run " sudo snort -A console -q -c
/etc/snort/snort.conf -r sample.pcap" command, the output is like this:

timestamp: 1528957146
Rule Profile Statistics (worst 4950 rules)
==========================================================
   Num      SID GID Rev     Checks   Matches    Alerts           Microsecs
 Avg/Check  Avg/Match Avg/Nonmatch   Disabled
   ===      === === ===     ======   =======    ======           =========
 =========  ========= ============   ========
     1         1660   1   0         16             2                 1
             34        2.2       17.3          0.0          0
     2         1666   1   0         16             2                 1
             34        2.2       17.4          0.0          0
     3         1482   1   0          1              1                 0
              1         1.5        1.5           0.0          0
     4         1024   1   0          1              1                 0
              1         1.8        1.8           0.0          0
     5         1763   1   0          1              1                 1
              1         1.9        1.9           0.0          0
     6         1233   1   0          1              1                 1
              1         1.7        1.7           0.0          0
     7         1612   1   0          1              1                 1
              2         2.3        2.3           0.0          0
     8         1370   1   0          1              1                 1
              2         2.4        2.4           0.0          0
     9         1375   1   0          1              1                 0
              2         2.7        2.7           0.0          0.
.                                        .
.                                        .
.                                        .
.                                        .
   238     2160   1   0            1              0                 0
            0        0.7        0.0          0.7          0
   239       17     1   0            1              0                 0
              0        0.7        0.0          0.7          0
   240      381    1   0            14            0                 0
            1        0.1        0.0          0.1          0
   241     2162   1   0            1              0                 0
            0        0.3        0.0          0.3          0
   242      380    1   0            14            0                 0
            1        0.1        0.0          0.1          0
   243     2141   1   0            1              0                 0
            0        0.3        0.0          0.3          0
   244     2167   1   0            1              0                 0
            0        0.7        0.0          0.7          0
   245      285    1   0            14            0                 0
            2        0.2        0.0          0.2          0

If you look at the line 3 and 4, as it can be seen there are matches but no
alerts. Why? Thanks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20180614/9260065b/attachment.html>


More information about the Snort-devel mailing list