[Snort-users] Multiple networks and port-scanning...

Mullen, Patrick Patrick.Mullen at ...24...
Wed Jul 26 16:22:54 EDT 2000


> preprocessor portscan: x.x.x.x/22 3 5 /var/log/snort_portscan.log
> preprocessor portscan-ignorehosts: $HOME_NET,$HOME_NET2,$HOME_NET3
> 
> 
> will the ignorehosts line work, interpolating the values?

Yes, except the values should be separated by spaces:

preprocessor portscan-ignorehosts: $HOME_NET $HOME_NET2 $HOME_NET3

> and can I somehow have have the portscan
> line cover all of the 3 blocks mentioned
> in HOME_NET,HOME_NET2 and HOME_NET3???

Not yet, but soon.  This is part of the config file
enhancement of SPP.  What you can do in the meantime
is set up SPP to listen to a network that includes
all three subnets and ignore any alerts to networks
other than your own.  If your ISP(s) are worth their
money you won't see them, anyway.  The only thing
you'd see is if your own hosts scanned those networks.


~Patrick




More information about the Snort-users mailing list