[Snort-users] RE: portscan-ignorehosts not working

Jason Jin jason at ...338...
Wed Aug 16 16:18:33 EDT 2000


Hi, 

I'm using snort-1.6-3 on redhat 6.x 
portscan-ignorehosts seem not working right 

I have six host that i'd like to ignore
here's section on my rules 

var DNS1  x.y.z.1/32  x.y.z.2/32
var DNS2  x.y.z.3/32  x.y.z.4/32
var DNS3  x.y.z.5/32  x.y.z.6/32

then 
preprocessor portscan: $INTERNAL  3 5  /var/log/snort/portscan.log 
preprocessor portscan-ignorehosts: $DNS1 $DNS2 $DNS3

restarting snort, the portsan log still shows the 
scan for x.y.z.2
         x.y.z.4
and      x.y.z.5, x.y.z/6 (but not from x.y.z.1/3)

any ideas? does the white space has too be tab instead of space 
(that seem do't make a differiece either in my case ) 

TIA,   

Jason





More information about the Snort-users mailing list