[Snort-users] Issues in changing max_queue_events value

Russ rucombs at ...589...
Thu Jun 1 06:38:29 EDT 2017


Look for this in src/fpdetect.h:

#define MAX_EVENT_MATCH 100

The lesser of max_queue_events and MAX_EVENT_MATCH is the effective 
upper bound.

That said it is a little unusual to have so many rules firing on the 
same packet.

On 5/30/17 11:42 AM, Navdeep Uniyal wrote:
> Dear Users,
>
> I have been trying to experiment with 200 alerts for snort. But the issue is while I am increasing the max_queue_events value to 300, it is getting default to 100.
>
> As per snort output....
>
> Action Stats:
>       Alerts:      100 (9998.500%)
>       Logged:      100 (9998.500%)
>       Passed:            0 (  0.000%)
> Limits:
>        Match:      100
>        Queue:       0
>          Log:            0
>        Event:         0
>        Alert:           0
>
>
> Which means that it is alerting for 100 rules, whereas other 100 rules are matching but are ignored. As per snort manual,  max_queue_events handle this factor, which I am already changing. Please if you could help me in this regard.
>
> PFA the snort file.
>
>
>
> Best Regards,
> Navdeep
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!





More information about the Snort-users mailing list