I am making use of snort. I want to report only 1 rule matched per packet. Like, if a packet matches multiple rules then it should report or log just one rule against which it matched. From what I understand uptill now is that you have to make changes in snort.conf file. I changed this line of snort.conf
config event_queue: max_queue 8 log 3 order_events content_length
with
config event_queue: max_queue 1 log 1 order_events content_length
and save this file.
But now when I run the pcap file , again it reports multiple matches against the single packet.
What else I need to do to make this work?
After making changes in snort.conf
I did this:
snort restart
but it gave me this error:
Can't see DAQ BPF filter to 'restart'
The configuration:
config event_queue: max_queue 1 log 1
should be all that you need. If it's still logging more than 1 event per packet/stream then snort did not restart with the new configuration.
"snort restart" is not the correct way to restart snort. Are you running snort in daemon mode? Depending on what OS you are running you need to restart the daemon or kill the snort process and start it again so that it can pick up the new snort.conf file. Typically to restart the snort daemon you can just run the command:
sudo /etc/init.d/snortd restart
But again, this depends on the OS.
If you aren't running snort in daemon mode then you just need to kill the process and start it again. You can run "pgrep snort" to get the pid of snort. If you don't remember the options that you started snort with you can run "ps auxwww |grep snort" and this should return the command that you used to start snort. You can then kill the pid and run that same command again. Hope this helps.