[Snort-users] Setting max_queue to 1

Beenish Raza beenish.raza at ...125...
Fri May 23 16:54:04 EDT 2014


Please guide me.
I am making these changes in snort.conf
config event_queue: max_queue 1 log 1 order_events content_lengthRun commands to ensure that config file has no errors but still
snort is reporting more than 1 match against the same packet.

From: beenish.raza at ...125...
To: snort-users at lists.sourceforge.net
Date: Thu, 22 May 2014 23:52:56 +0500
Subject: [Snort-users] Setting max_queue to 1




I want to report only 1 rule matched per packet. Like, if a packet matches multiple rules then it should report or log just one rule against which it matched. From what I understand uptill now is that you have to make changes in snort.conf file. I changed this line of snort.conf 
config event_queue: max_queue 8 log 3 order_events content_length
with
config event_queue: max_queue 1 log 1 order_events content_length
and save this file.
But now when I run the pcap file , again it reports multiple matches against the single packet.
What else I need to do to make this work?
After making changes in snort.conf
I did this:
snort restart but it gave me this error:
Can't see DAQ BPF filter to 'restart'

 		 	   		  

------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news! 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140524/ccf0eb52/attachment.html>


More information about the Snort-users mailing list