[Snort-users] RE: portscan-ignorehosts not working
StrmShdw
sectech at ...136...
Wed Aug 16 21:00:35 EDT 2000
assuming all host are on the same subnet it would be x.y.x.0/29, if they do
in fact begin with with the x.x.x.1 numbering
-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Jason Jin
Sent: Wednesday, August 16, 2000 13:19
To: snort-users at lists.sourceforge.net
Cc: Patrick.Mullen at ...24...
Subject: [Snort-users] RE: portscan-ignorehosts not working
Hi,
I'm using snort-1.6-3 on redhat 6.x
portscan-ignorehosts seem not working right
I have six host that i'd like to ignore
here's section on my rules
var DNS1 x.y.z.1/32 x.y.z.2/32
var DNS2 x.y.z.3/32 x.y.z.4/32
var DNS3 x.y.z.5/32 x.y.z.6/32
then
preprocessor portscan: $INTERNAL 3 5 /var/log/snort/portscan.log
preprocessor portscan-ignorehosts: $DNS1 $DNS2 $DNS3
restarting snort, the portsan log still shows the
scan for x.y.z.2
x.y.z.4
and x.y.z.5, x.y.z/6 (but not from x.y.z.1/3)
any ideas? does the white space has too be tab instead of space
(that seem do't make a differiece either in my case )
TIA,
Jason
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
http://lists.sourceforge.net/mailman/listinfo/snort-users
More information about the Snort-users
mailing list