[Snort-devel] Portscan2 ignore hosts

Ian Macdonald secsnortdev at ...1490...
Wed Sep 18 13:44:01 EDT 2002


Hmmm, it doesn't seem to be working, it still seems to be logging port scans
that have a destination IP that is in the ignore list

I am using.

preprocessor portscan2: scanners_max 3200, targets_max 5000, target_limit 5,
port_limit 20, timeout 60
preprocessor portscan2-ignorehosts: 66.109.210.254 66.109.210.138
66.109.210.7 66.109.210.23 209.132.134.98 208.242.115.30 145.9.3.17

Have changed the IP addresses to protect the innocent.

I am still seeing portscans to 66.109.210.254. This is with build 205

I have disabled portscanning until I have time to look at a debug version of
snort, but that will not be till mid next week.

Ian

----- Original Message -----
From: "Steve Halligan" <giermo at ...269...>
To: "'Ian Macdonald'" <secsnortdev at ...1490...>;
<snort-devel at lists.sourceforge.net>
Sent: Wednesday, September 18, 2002 4:12 PM
Subject: RE: [Snort-devel] Portscan2 ignore hosts


>
>
> >Just wanting to check should I be using
> >preprocessor portscan-ignorehosts: 0.0.0.0
> >or
> >preprocessor portscan2-ignorehosts: 0.0.0.0
> >
> >for ignoring the hosts in portscan2?
> >
> >There is no mention of portscan2-ignorehosts in the
> >snort.conf, or in the
> >online documents. So I thought I would double check here.
> >
> >Thanks
>
> preprocessor portscan2-ignorehosts: yadda yadda yadda
>
> -steve
>
>
> -------------------------------------------------------
> This SF.NET email is sponsored by: AMD - Your access to the experts
> on Hammer Technology! Open Source & Linux Developers, register now
> for the AMD Developer Symposium. Code: EX8664
> http://www.developwithamd.com/developerlab
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>





More information about the Snort-devel mailing list