[Snort-users] Really, *really* ignore a portscan.

Sven Veckes s.veckes at ...1190...
Fri Jan 26 02:23:21 EST 2001

At 07:51 26.01.01 +0100, Scott A. McIntyre wrote:
>Due to what appears to be a funky interaction with 2.4 and iptables, one
>particular node in question reports a (false) Stealth portscan against
>me whenever it sends SMTP traffic to one of my nodes.  I'd love to be
>able to filter this out, but so far neither a pass rule (for udp or tcp)
>or a preprocessor ignore statement has done the trick.  Is there a
>hidden function that will really, honestly and truly, ignore a
>particular portscan?
>Many thanks for any ideas.
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:

Did you use the '-o' switch??
Snort is doing the alerts befor passing the traffic. with this switch you 
can change the order
how it processes the rules. (Please correct me if I'm wrong).
I had the same thing here. For me it seems to work since yesterday.


Swen Veckes
KDD TELECOMET Deutschland Gmbh
Immermannstrasse 45
D-40210 Düsseldorf
Tel.: +49 (211) 936 98 - 518
Fax.: +49 (211) 936 98 - 50
E-Mail: mailto:s.veckes at ...1190...

More information about the Snort-users mailing list