Snort - the de facto standard for intrusion detection/prevention
the de facto standard for IPS  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Snort Downloads Snort Rules Snort Docs Snort Training Snort Forums Snort Community Snort Store
Search Site
Search Rules
Account
email
password
not registered?
can't login?
user preferences
next up previous contents
Next: 2.5 Output Modules Up: 2. Configuring Snort Previous: 2.3 Event Suppression   Contents

Subsections


2.4 Snort Multi-Event Logging (Event Queue)

Snort supports logging multiple events per packet/stream that are prioritized with different insertion methods, such as max content length or event ordering using the event queue.

The general configuration of the event queue is as follows: 

config event_queue: [max_events [size]] [log [size]] [order_events [TYPE]]

2.4.1 Event Queue Configuration Options

There are three configuration options to the configuration parameter 'event_queue'.

65.
max_queue

This determines the maximum size of the event queue. For example, if the event queue has a max size of 8, only 8 events will be stored for a single packet or stream.

The default value is 8.

66.
log

This determines the number of events to log for a given packet or stream. You can't log more than the max_event number that was specified.

The default value is 3.

67.
order_events

This argument determines the way that the incoming events are ordered. We currently have two different methods:

  • priority - The highest priority (1 being the highest) events are ordered first.

  • content_length - Rules are ordered before decode or preprocessor alerts, and rules that have a longer content are ordered before rules with shorter contents.

The method in which events are ordered does not affect rule types such as pass, alert, log, etc.

The default value is content_length.

2.4.2 Event Queue Configuration Examples

The default configuration: 

config event_queue: max_queue 8 log 3 order_events content_length

Example of a reconfigured event queue: 

config event_queue: max_queue 10 log 3 order_events content_length

Use the default event queue values, but change event order: 

config event_queue: order_events priority

Use the default event queue values but change the number of logged events: 

config event_queue: log 2

next up previous contents
Next: 2.5 Output Modules Up: 2. Configuring Snort Previous: 2.3 Event Suppression   Contents
Terms of Use | Privacy Policy | forum archives | site feedback ©2009 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.