[Snort-users] RE: portscan-ignorehosts not working

Christopher Cramer cec at ...68...
Wed Aug 16 16:26:35 EDT 2000


Jason,

The reason this won't work is b/c of variable substitution within
snort.  Currently variables are really only accessing the first network
in the list.

Try instead:

preprocessor portscan: $INTERNAL  3 5  /var/log/snort/portscan.log
preprocessor portscan-ignorehosts: x.y.z.1/32  x.y.z.2/32 x.y.z.3/32
     x.y.z.4/32 x.y.z.5/32  x.y.z.6/32

my guess is that you are actually ignoring portscans from: x.y.z.[246]

-Chris

----------------------------------------------------------------------
Dr. Christopher E. Cramer
Associate in Research
Duke University, Department of Electrical and Computer Engineering
114 Hudson Hall, Box 90291, Durham, NC  27708-0291
PH:  919-660-5248     FAX:  919-660-5293     email:  cec at ...68...


On Wed, 16 Aug 2000, Jason Jin wrote:

> Hi, 
> 
> I'm using snort-1.6-3 on redhat 6.x 
> portscan-ignorehosts seem not working right 
> 
> I have six host that i'd like to ignore
> here's section on my rules 
> 
> var DNS1  x.y.z.1/32  x.y.z.2/32
> var DNS2  x.y.z.3/32  x.y.z.4/32
> var DNS3  x.y.z.5/32  x.y.z.6/32
> 
> then 
> preprocessor portscan: $INTERNAL  3 5  /var/log/snort/portscan.log 
> preprocessor portscan-ignorehosts: $DNS1 $DNS2 $DNS3
> 
> restarting snort, the portsan log still shows the 
> scan for x.y.z.2
>          x.y.z.4
> and      x.y.z.5, x.y.z/6 (but not from x.y.z.1/3)
> 
> any ideas? does the white space has too be tab instead of space 
> (that seem do't make a differiece either in my case ) 
> 
> TIA,   
> 
> Jason
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users
> 





More information about the Snort-users mailing list