[Snort-users] RE: portscan-ignorehosts not working

StrmShdw sectech at ...136...
Wed Aug 16 21:00:35 EDT 2000


assuming all host are on the same subnet it would be x.y.x.0/29, if they do
in fact begin with with the x.x.x.1 numbering

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Jason Jin
Sent: Wednesday, August 16, 2000 13:19
To: snort-users at lists.sourceforge.net
Cc: Patrick.Mullen at ...24...
Subject: [Snort-users] RE: portscan-ignorehosts not working


Hi,

I'm using snort-1.6-3 on redhat 6.x
portscan-ignorehosts seem not working right

I have six host that i'd like to ignore
here's section on my rules

var DNS1  x.y.z.1/32  x.y.z.2/32
var DNS2  x.y.z.3/32  x.y.z.4/32
var DNS3  x.y.z.5/32  x.y.z.6/32

then
preprocessor portscan: $INTERNAL  3 5  /var/log/snort/portscan.log
preprocessor portscan-ignorehosts: $DNS1 $DNS2 $DNS3

restarting snort, the portsan log still shows the
scan for x.y.z.2
         x.y.z.4
and      x.y.z.5, x.y.z/6 (but not from x.y.z.1/3)

any ideas? does the white space has too be tab instead of space
(that seem do't make a differiece either in my case )

TIA,

Jason


_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
http://lists.sourceforge.net/mailman/listinfo/snort-users





More information about the Snort-users mailing list