[Snort-users] RE: [Snort-devel] max_queue_events

Marc Norton marc.norton at ...1935...
Mon May 10 06:35:10 EDT 2004


max_queue_event determines how many alerts/events to queue per packet.
When packet processing is done, one or more of these is saved.  Snort
versions prior to 2.1.3 use this parameter and can log only one event
per packet.  Starting with version 2.1.3 the queue size and the number
of events per packet to log can be adjusted.   This has nothing to do
with dropping traffic, at least not directly.

> -----Original Message-----
> From: snort-devel-admin at lists.sourceforge.net [mailto:snort-devel-
> admin at lists.sourceforge.net] On Behalf Of Thomas Bechtold
> Sent: Friday, May 07, 2004 3:08 PM
> To: snort-users at lists.sourceforge.net;
snort-devel at lists.sourceforge.net
> Subject: [Snort-devel] max_queue_events
> 
> Hi,
> Could anybody explain me the exact function from max_queue_events?
> I watched the sourcecode, but i'm not sure which need this parameter
has.
> I'm
> not good in programming;)
> 
> Can i tell snort, how big the queue for pakets(which will be checked)
is?
> The
> default is 5, so if i increase this value, Snort would be slower but
don't
> have packet loss? Right or not?
> 
> Cheers Thomas
> 
> 
> 
> used max_queue_event with:
> 
> [snip snort.conf]
> config detection: max_queue_events 10
> [snap]
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by Sleepycat Software
> Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to
> deliver higher performing products faster, at low TCO.
> http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel






More information about the Snort-users mailing list