[Snort-users] several nameservers to be excluded

Christopher Cramer cec at ...68...
Tue Aug 1 16:57:46 EDT 2000

Patrick et al,

I lost the original email about this, but I have tracked down the bug
regarding excluding a number of nameservers in the portscan preprocessor.

The problem is not in your code, but rather in the default snort-lib file.

The current snort-lib file defines:

var DNS_SERVER <server 1> <server 2> ... <server N>

it then passes this variable to:

preprocessor portscan-ignorehosts: $DNS_SERVER

So your portscan-ignorehosts initializer only sees _1_ token.  It then
passes the token off to ParseIP.  ParseIP correctly handles the variable,
however, it only handles the 1st token in the variable.

When I call portscan-ignorehosts in the following manner:

preprocessor portscan-ignorehosts: <server 1> <server 2> ... <server N>

Everything works perfectly.

Hope this helps clear up the problem.


Dr. Christopher E. Cramer
Associate in Research
Duke University, Department of Electrical and Computer Engineering
114 Hudson Hall, Box 90291, Durham, NC  27708-0291
PH:  919-660-5248     FAX:  919-660-5293     email:  cec at ...68...

More information about the Snort-users mailing list