[Snort-devel] Snort Version 2.0.0 (Build 72) and up & portscan2-ignorehosts

Sean Wheeler s.wheeler at ...2016...
Mon Jul 14 09:31:06 EDT 2003


Hi,

I noticed the following in when using \ in defining a long list of ip
addresses.
However the notation works fine with rules, but does not work with the
portscan2-ignorehosts directive

condition exists in both
-*> Snort! <*-
Version 2.0.0 (Build 72)

 and

-*> Snort! <*-
Version 2.0.1beta (Build 87)


--------------------------------
snort.conf - Not Working

var Portscan_Ignore
[81.6.5.225/32,81.6.5.226/32,81.6.5.227/32,81.6.5.228/32,81.6.5.229/32,81.6.
5.230/32,81.6.5.231/32,81.6.5.232/32,81.6.5.233/32,81.6.5.234/32, \
81.6.5.235/32]

preprocessor portscan2-ignorehosts: $Portscan_Ignore

ERROR: ERROR /testrule/etc/snort.conf(76) => Unrecognized IP address/netmask
Fatal Error, Quitting..

---------------------------------
snort.conf - Working

var Portscan_Ignore
[81.6.5.225/32,81.6.5.226/32,81.6.5.227/32,81.6.5.228/32,81.6.5.229/32,81.6.
5.230/32,81.6.5.231/32,81.6.5.232/32,81.6.5.233/32,81.6.5.234/32,81.6.5.235/
32]

preprocessor portscan2-ignorehosts: $Portscan_Ignore


Snort sucessfully loaded all rules and checked all rule chains!


------------------------------------

This rule works fine with the \ notation

alert tcp $ANY_Servers $any -> $Portscan_Ignore $any
(msg:"testing_da_looooong_iplist";classtype:attempted-admin;sid:1001832;rev:
1;)







More information about the Snort-devel mailing list