[Snort-users] RE: portscan-ignorehosts not working
erickson at ...239...
Fri Aug 18 12:56:28 EDT 2000
Hello Jason, Christopher, Patrick, and fellow Snorters,
I am sorry about my earlier non-plain text posting.
Thank you for your response.
I tried go back to a single variable with 7 network definitions on one line
and I still tripped the preprocessor. So I tried what Jason and Christopher
I defined 7 variables but only one network/mask per variable and so far that
Five of the hosts I am trying to ignore are on the same subnet x.x.33.x, the
other two are on x.x.240.x and x.x.233.x.
I really appreciate your rapid response.
----- Original Message -----
From: "Christopher Cramer" <cec at ...68...>
To: "Jason Jin" <jason at ...338...>
Cc: <snort-users at lists.sourceforge.net>; <Patrick.Mullen at ...345...>
Sent: Friday, August 18, 2000 9:14 AM
Subject: Re: [Snort-users] RE: portscan-ignorehosts not working
> The reason for this is the following:
> Patrick's portscan-ignorehosts preprocessor receives N input
> arguments. In the case of $DNS1, $DNS2, $DNS3, there are three input
> arguments. When Patrick processes his input arguments, all he knows is
> that there are three of them. For each of the three he makes a call to a
> internal snort function which fills in a network/netmask structure based
> on the value of the variable.
> Unfortunately, this internal snort function only handles the first
> network/netmask in a variable (currently snort doesn't handle variables w/
> multiple networks specified in them). So, when the portscan preprocessor
> handles its arguments, it basically does the following:
> for i=1 -> num_args [num_args is 3 in your case]
> create place for network/netmask i
> call internal snort function to process arg[i]
> save this single network/netmask to ignore
> since the internal snort function only grabs the 1st network/netmask in
> the variable, and the preprocessor only has 3 arguments, you only are
> setup to disregard the first network/netmask in each of the three
> If you were to write:
> var DNS1 x.y.z.1/32 x.y.z.2/32 x.y.z.3/32 ... x.y.z.6/32
> preprocessor portscan-ignorehosts: $DNS1
> then this would be read as one argument to portscan-ignorehosts which
> would only pull one network/netmask from the variable, leaving you only
> disregarding x.y.z.1/32
> if however, you did:
> preprocessor portscan-ignorehosts:x.y.z.1/32 x.y.z.2/32
> then you would have 6 arguments to portscan-ignorehosts and you would
> correctly handle the 6 network/netmask values to ignore.
> You could also write this as:
> var DNS1 x.y.z.1/32
> var DNS2 x.y.z.2/32
> var DNS3 x.y.z.3/32
> var DNS4 x.y.z.4/32
> var DNS5 x.y.z.5/32
> var DNS6 x.y.z.6/32
> preprocessor portscan-ignorehosts: $DNS1 ... $DNS6
> portscan-ignorehosts would have 6 args and all would be well.
> I hope this gives some explanation for the behavior you are seeing.
> On Fri, 18 Aug 2000, Jason Jin wrote:
> > I was resporting earlier that portscan-ignoreports
> > not working right. Here's an update of the problem:
> > here's section on my rules
> > var DNS1 x.y.z.1/32 x.y.z.2/32
> > var DNS2 x.y.z.3/32 x.y.z.4/32
> > var DNS3 x.y.z.5/32 x.y.z.6/32
> > then
> > preprocessor portscan-ignorehosts: $DNS1 $DNS2 $DNS3
> > I completed stop/restart snort, the portsan log still shows
> > the normal scan from x.y.z.2, x.y.z.4,and x.y.z.6
> > ( I was reporting that x.y.z.5 also showing in the sanlog
> > Patrick point out because It was using stealth scan, which
> > was the case)
> > so my problem is : it appears only the first part of
> > variable defined is accepeted , the rest like
> > x.y.z. is not accepted. any ideas?
> > PS: as a work around , I define six $DNSx(where x=1,2,..6), then
> > put them all in
> > preprocessor portscan-ignorehosts: $DNS1 $DNS2 ...$DNS6
> > TIA,
> > Jason .
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > http://lists.sourceforge.net/mailman/listinfo/snort-users
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
More information about the Snort-users