[Snort-devel] documentation

Jon Hart warchild at ...1775...
Tue Sep 9 18:40:20 EDT 2003


On Fri, Mar 21, 2003 at 04:57:16PM -0500, Chris Green wrote:
> "Kreimendahl, Chad J" <Chad.Kreimendahl at ...1167...> writes:
> 
> > Are there currently plans to document the functionality of HttpFlow,
> > portscan2-ignoreports... so on so forth?
> 
> Yup. It's at the end of a long list of things to do.

I stumbled upon this email while looking for something else, and figured
I'd give this a shot.

This patch documents portscan2-ignoreports-to/portscan2-ignoreports-from
to the best of my knowledge.

Hope this helps,

-jon
-------------- next part --------------
--- snort-orig/doc/snortman.tex	2003-09-06 03:15:16.000000000 -0400
+++ snort-new/doc/snortman.tex	2003-09-09 21:28:12.000000000 -0400
@@ -2624,6 +2624,32 @@
 \end{tabular}\end{center}
 \end{table}
 
+\subsection{Portscan2 Ignoreports}
+
+These two preprocessors modify the Portscan2 preprocessor and instruct it
+to ignore alerts going to and/or from certain TCP and UDP ports.  To ignore
+alerts \emph{to} certain ports, use portscan2-ignoreports-to.  To ignore 
+alerts \emph{from} certain ports, use portscan2-ignoreports-from.  These two
+directives must come after the portscan2 preprocessor in snort.conf.  Ports
+may only be specified as a whitespace delimitted list.
+
+\subsubsection{Format}
+\begin{verbatim}
+preprocessor portscan2-ignoreports-from: <port list>
+preprocessor portscan2-ignoreports-to: <port list>
+\end{verbatim}
+
+\subsubsection{Example}
+\begin{figure}[!hbpt]
+\begin{verbatim} 
+preprocessor portscan2-ignoreports-from: 53  80
+preprocessor portscan2-ignoreports-to: 80 1080
+\end{verbatim}
+
+\caption{\label{portscan2 ignore ports example}Portscan2 Ignoreports Module
+Configuration Example}
+\end{figure}                                 
+
 \subsection{Telnet Decode\label{sub:Telnet-Decode}}
 
 The telnet\_decode preprocessor allows snort to normalize telnet control


More information about the Snort-devel mailing list