[Snort-users] Just can't ignore...
don at ...156...
Wed Jul 26 12:52:08 EDT 2000
Actually you gave me an idea and it worked!
All I did was just retyped the preprocessor line....must have been
At 09:39 AM 7/26/00 -0700, you wrote:
>Well, as for the first part, pass rules do not ignore port scan
>detections, because the port scan detector is a preprocessor, and is not
>affected by them. You are right about the portscan-ignorehosts
>preprocessor. That's what you should be using. Mine looks something
>var HOME_NET xxx.xxx.xx.xx/24
>var DNS yyy.yy.yy.yyy/32
>preprocessor portscan: $HOME_NET 10 1 /var/log/portscan.log
>preprocessor portscan-ignorehosts: $DNS
>Unfortunately, I was unable to reproduce your problem. I do know that
>the error message is coming from the rules portion of snort, so it's not
>an issue with the portscan preprocessor. Perhaps there's an extra
>space, or just some minor syntax detail that's causing the problem.
>Sorry I couldn't be much help,
>Don Kendrick wrote:
> > OK, I give up:
> > I got a machine on the DMZ that scans a bunch of services on another
> > machine. Needless to say, snort sees this as a portscan.
> > Here's what I tried:
> > add the -o to the command line and add the following rule:
> > pass tcp scanner_ip any > target any
> > The portscans still show up in the alert log. Note that when starting I do
> > get a message about the rule order changing...so the -o is taking.
> > Since that failed, I also tried to uncomment the line in my rules that
> > starts with:
> > preprocessor portscan-ignorehosts:
> > so that it reads:
> > preprocessor portscan-ignorehosts: scanner_ip/32
> > then while starting I get an error message that says that I did not provide
> > a netmask on line 20 (this line). Huh?
> > What am I missing...
> > TIA
> > don
> > Don Kendrick, CNE, CCNA, CISSP
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > http://lists.sourceforge.net/mailman/listinfo/snort-users
More information about the Snort-users