[Snort-users] Setting max_queue to 1
beenish.raza at ...125...
Thu May 22 14:52:56 EDT 2014
I want to report only 1 rule matched per packet. Like, if a packet matches multiple rules then it should report or log just one rule against which it matched. From what I understand uptill now is that you have to make changes in snort.conf file. I changed this line of snort.conf
config event_queue: max_queue 8 log 3 order_events content_length
config event_queue: max_queue 1 log 1 order_events content_length
and save this file.
But now when I run the pcap file , again it reports multiple matches against the single packet.
What else I need to do to make this work?
After making changes in snort.conf
I did this:
snort restart but it gave me this error:
Can't see DAQ BPF filter to 'restart'
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users