On Sat, Jun 9, 2018 at 11:24 AM, İzzettin Erdem via Snort-devel <snort-devel@lists.snort.org> wrote:
Hello Everyone,

I changed community rules with my own rules and I realize that SNORT just prints alert messages maximum 5 times to console if it finds more than 5 alerts. For instance, I inspect one packet's payload with WireShark and wrote one rule which matches with packet's payload. I wrote this rule 20 times to rule file and I ran Snort. Snort gave me just 5 alert messages. How can I increase this alert count ? I am working on a Project and I am a beginner. I am very pleased if you can help me.

Example:

Rule File:
alert tcp any any -> any any (msg:"Feature1"; content:"#JN1"; nocase; sid:1)
alert tcp any any -> any any (msg:"Feature2"; content:"#JN1"; nocase; sid:2) 
alert tcp any any -> any any (msg:"Feature3"; content:"#JN1"; nocase; sid:3) 
.
.
.
alert tcp any any -> any any (msg:"Feature20"; content:"#JN1"; nocase; sid:20)

Snort Output:
05/-22:56:55.056993  [**] [1:2019:0] Feature2 [**]  [Priority: 0] {TCP} 46.20.153.125:80 -> 10.0.2.15:56216

the [gid:sid:revision] https://www.snort.org/rule_docs/1-2019 do not correspond to your alert settings above. Is this a real snort output?

Marcin
 
05/-22:56:55.056993  [**] [1:2017:0] Feature4 [**]  [Priority: 0] {TCP} 46.20.153.125:80 -> 10.0.2.15:56216 
05/-22:56:55.056993  [**] [1:2015:0] Feature11 [**]  [Priority: 0] {TCP} 46.20.153.125:80 -> 10.0.2.15:56216 
05/-22:56:55.056993  [**] [1:2013:0] Feature15 [**]  [Priority: 0] {TCP} 46.20.153.125:80 -> 10.0.2.15:56216 
05/-22:56:55.056993  [**] [1:460:0] Feature18 [**]  [Priority: 0] {TCP} 46.20.153.125:80 -> 10.0.2.15:56216
Total Alerts: 5

Expected Output:
05/-22:56:55.056993  [**] [1:2019:0] Feature1 [**]  [Priority: 0] {TCP} 46.20.153.125:80 -> 10.0.2.15:56216
05/-22:56:55.056993  [**] [1:2017:0] Feature2 [**]  [Priority: 0] {TCP} 46.20.153.125:80 -> 10.0.2.15:56216 
05/-22:56:55.056993  [**] [1:2015:0] Feature3 [**]  [Priority: 0] {TCP} 46.20.153.125:80 -> 10.0.2.15:56216
.
.
.
05/-22:56:55.056993  [**] [1:2013:0] Feature19 [**]  [Priority: 0] {TCP} 46.20.153.125:80 -> 10.0.2.15:56216 
05/-22:56:55.056993  [**] [1:460:0] Feature20 [**]  [Priority: 0] {TCP} 46.20.153.125:80 -> 10.0.2.15:56216
Total Alerts: 20


_______________________________________________
Snort-devel mailing list
Snort-devel@lists.snort.org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!