[Snort-users] RE: portscan-ignorehosts not working
Christopher Cramer
cec at ...68...
Wed Aug 16 16:26:35 EDT 2000
Jason,
The reason this won't work is b/c of variable substitution within
snort. Currently variables are really only accessing the first network
in the list.
Try instead:
preprocessor portscan: $INTERNAL 3 5 /var/log/snort/portscan.log
preprocessor portscan-ignorehosts: x.y.z.1/32 x.y.z.2/32 x.y.z.3/32
x.y.z.4/32 x.y.z.5/32 x.y.z.6/32
my guess is that you are actually ignoring portscans from: x.y.z.[246]
-Chris
----------------------------------------------------------------------
Dr. Christopher E. Cramer
Associate in Research
Duke University, Department of Electrical and Computer Engineering
114 Hudson Hall, Box 90291, Durham, NC 27708-0291
PH: 919-660-5248 FAX: 919-660-5293 email: cec at ...68...
On Wed, 16 Aug 2000, Jason Jin wrote:
> Hi,
>
> I'm using snort-1.6-3 on redhat 6.x
> portscan-ignorehosts seem not working right
>
> I have six host that i'd like to ignore
> here's section on my rules
>
> var DNS1 x.y.z.1/32 x.y.z.2/32
> var DNS2 x.y.z.3/32 x.y.z.4/32
> var DNS3 x.y.z.5/32 x.y.z.6/32
>
> then
> preprocessor portscan: $INTERNAL 3 5 /var/log/snort/portscan.log
> preprocessor portscan-ignorehosts: $DNS1 $DNS2 $DNS3
>
> restarting snort, the portsan log still shows the
> scan for x.y.z.2
> x.y.z.4
> and x.y.z.5, x.y.z/6 (but not from x.y.z.1/3)
>
> any ideas? does the white space has too be tab instead of space
> (that seem do't make a differiece either in my case )
>
> TIA,
>
> Jason
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users
>
More information about the Snort-users
mailing list