[Snort-users] several nameservers to be excluded

Christopher Cramer cec at ...68...
Tue Aug 1 16:57:46 EDT 2000


Patrick et al,

I lost the original email about this, but I have tracked down the bug
regarding excluding a number of nameservers in the portscan preprocessor.

The problem is not in your code, but rather in the default snort-lib file.

The current snort-lib file defines:

var DNS_SERVER <server 1> <server 2> ... <server N>

it then passes this variable to:

preprocessor portscan-ignorehosts: $DNS_SERVER

So your portscan-ignorehosts initializer only sees _1_ token.  It then
passes the token off to ParseIP.  ParseIP correctly handles the variable,
however, it only handles the 1st token in the variable.

When I call portscan-ignorehosts in the following manner:

preprocessor portscan-ignorehosts: <server 1> <server 2> ... <server N>

Everything works perfectly.

Hope this helps clear up the problem.

-Chris

----------------------------------------------------------------------
Dr. Christopher E. Cramer
Associate in Research
Duke University, Department of Electrical and Computer Engineering
114 Hudson Hall, Box 90291, Durham, NC  27708-0291
PH:  919-660-5248     FAX:  919-660-5293     email:  cec at ...68...







More information about the Snort-users mailing list