[Snort-users] RE: portscan-ignorehosts not working

Jason Jin jason at ...338...
Fri Aug 18 11:56:22 EDT 2000


I was resporting earlier that portscan-ignoreports
not working right. Here's an update of the problem:

here's section on my rules

var DNS1  x.y.z.1/32  x.y.z.2/32
var DNS2  x.y.z.3/32  x.y.z.4/32
var DNS3  x.y.z.5/32  x.y.z.6/32

then
preprocessor portscan-ignorehosts: $DNS1 $DNS2 $DNS3           

I completed stop/restart snort, the portsan log still shows 
the normal scan from x.y.z.2, x.y.z.4,and  x.y.z.6

( I was reporting that x.y.z.5 also showing in the sanlog
Patrick point out because It was using stealth scan, which
was the case) 

so my problem is : it appears only the first part of
variable defined is accepeted , the rest like
x.y.z.[246] is not accepted. any ideas?

PS: as a work around , I define six $DNSx(where x=1,2,..6), then
put them all in 
preprocessor portscan-ignorehosts: $DNS1 $DNS2  ...$DNS6

TIA,

Jason . 
   




More information about the Snort-users mailing list