[Snort-users] RE: portscan-ignorehosts not working

Mullen, Patrick Patrick.Mullen at ...24...
Thu Aug 17 10:26:36 EDT 2000


[I just got back from vacation so my account is set to
nomail.  My apologies if this has already been answered.]

> I'm using snort-1.6-3 on redhat 6.x 
> portscan-ignorehosts seem not working right 
> 
> I have six host that i'd like to ignore
> here's section on my rules 

Has this issue been resolved?  I think it should work
as shown.  By "restart" you mean killed the daemon and
re-ran, right?  SPP doesn't listen to the SIGHUP signal
(It probably should; adding to the list now.  Actually,
I need to look into what snort does when it gets a HUP
and reads the config file regarding preprocessors.)

Remember that TCP "stealth" scans from servers are
always flagged.  This is in case your server is compromised,
though I'm in the process of adding a threshold for
stealth scans, too.

I will probably be on "nomail" for most of today while
trying to catch up after a two-week absence.  Please
cc: me directly on matters regarding the portscan
preprocessor.  


Thanks,

~Patrick





More information about the Snort-users mailing list