[Snort-users] Just can't ignore...

Don Kendrick don at ...156...
Wed Jul 26 11:03:47 EDT 2000


OK,  I give up:

I got a machine on the DMZ that scans a bunch of services on another 
machine. Needless to say, snort sees this as a portscan.

Here's what I tried:

add the -o to the command line and add the following rule:

pass tcp scanner_ip any > target any

The portscans still show up in the alert log. Note that when starting I do 
get a message about the rule order changing...so the -o is taking.

Since that failed, I also tried to uncomment the line in my rules that 
starts with:

preprocessor portscan-ignorehosts:

so that it reads:

preprocessor portscan-ignorehosts: scanner_ip/32

then while starting I get an error message that says that I did not provide 
a netmask on line 20 (this line). Huh?

What am I missing...

TIA

don
Don Kendrick, CNE, CCNA, CISSP





More information about the Snort-users mailing list