[Snort-users] RE: portscan-ignorehosts not working
Jason Jin
jason at ...338...
Fri Aug 18 11:56:22 EDT 2000
I was resporting earlier that portscan-ignoreports
not working right. Here's an update of the problem:
here's section on my rules
var DNS1 x.y.z.1/32 x.y.z.2/32
var DNS2 x.y.z.3/32 x.y.z.4/32
var DNS3 x.y.z.5/32 x.y.z.6/32
then
preprocessor portscan-ignorehosts: $DNS1 $DNS2 $DNS3
I completed stop/restart snort, the portsan log still shows
the normal scan from x.y.z.2, x.y.z.4,and x.y.z.6
( I was reporting that x.y.z.5 also showing in the sanlog
Patrick point out because It was using stealth scan, which
was the case)
so my problem is : it appears only the first part of
variable defined is accepeted , the rest like
x.y.z.[246] is not accepted. any ideas?
PS: as a work around , I define six $DNSx(where x=1,2,..6), then
put them all in
preprocessor portscan-ignorehosts: $DNS1 $DNS2 ...$DNS6
TIA,
Jason .
More information about the Snort-users
mailing list