[Snort-users] Config stuff [was: Dynamic Addresses]
joey at ...47...
Tue Apr 10 14:11:18 EDT 2001
Dave Fitches wrote:
> Can someone tell me if this is right??
> I want Snort to ignore portscan alerts from the DNS servers and game servers
> I connect to...
That part looks good to me. Just make sure preprocessor
portscan-ignorehosts is _after_ the preprocessor portscan line.
> I ALSO want to get snort to ignore any port 53 activity to/from me and my
> DNS servers... can't figure that one out... [Probably me being thick....]
pass tcp $HOME_NET any <> $DNS_SERVERS 53 (msg:"Pass rule for TCP 53
pass udp $HOME_NET any <> $DNS_SERVERS 53 (msg:"Pass rule for UDP 53
Then, make sure you start snort with -o.
> # Define the addresses of DNS servers and other hosts
> # if you want to ignore portscan false alarms from them...
> var DNS_SERVERS [184.108.40.206/32,220.127.116.11/32]
> var GAME_SERVERS [18.104.22.168/32,22.214.171.124/32,126.96.36.199/32]
> # Use portscan-ignorehosts to ignore TCP SYN and UDP "scans" from
> # specific networks or hosts to reduce false alerts. It is typical
> # to see many false alerts from DNS servers so you may want to
> # add your DNS servers here. You can all multiple hosts/networks
> # in a whitespace-delimited list.
> preprocessor portscan-ignorehosts: $DNS_SERVERS $GAME_SERVERS
| Joe McAlerney joey at ...155... |
| Silicon Defense - Technical Support for Snort |
| http://www.silicondefense.com/ |
More information about the Snort-users