[Snort-users] Just can't ignore...

Don Kendrick don at ...156...
Wed Jul 26 12:52:08 EDT 2000


Actually you gave me an idea and it worked!

All I did was just retyped the preprocessor line....must have been 
something hidden.

Thanks,

don

At 09:39 AM 7/26/00 -0700, you wrote:
>Hi Don,
>
>Well, as for the first part, pass rules do not ignore port scan
>detections, because the port scan detector is a preprocessor, and is not
>affected by them.  You are right about the portscan-ignorehosts
>preprocessor.  That's what you should be using.  Mine looks something
>like this:
>
>var HOME_NET xxx.xxx.xx.xx/24
>var DNS yyy.yy.yy.yyy/32
>
>preprocessor portscan: $HOME_NET 10 1 /var/log/portscan.log
>preprocessor portscan-ignorehosts: $DNS
>
>Unfortunately, I was unable to reproduce your problem.  I do know that
>the error message is coming from the rules portion of snort, so it's not
>an issue with the portscan preprocessor.  Perhaps there's an extra
>space, or just some minor syntax detail that's causing the problem.
>
>Sorry I couldn't be much help,
>
>-Joe M.
>
>Don Kendrick wrote:
> >
> > OK,  I give up:
> >
> > I got a machine on the DMZ that scans a bunch of services on another
> > machine. Needless to say, snort sees this as a portscan.
> >
> > Here's what I tried:
> >
> > add the -o to the command line and add the following rule:
> >
> > pass tcp scanner_ip any > target any
> >
> > The portscans still show up in the alert log. Note that when starting I do
> > get a message about the rule order changing...so the -o is taking.
> >
> > Since that failed, I also tried to uncomment the line in my rules that
> > starts with:
> >
> > preprocessor portscan-ignorehosts:
> >
> > so that it reads:
> >
> > preprocessor portscan-ignorehosts: scanner_ip/32
> >
> > then while starting I get an error message that says that I did not provide
> > a netmask on line 20 (this line). Huh?
> >
> > What am I missing...
> >
> > TIA
> >
> > don
> > Don Kendrick, CNE, CCNA, CISSP
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > http://lists.sourceforge.net/mailman/listinfo/snort-users





More information about the Snort-users mailing list