[Snort-users] Really, *really* ignore a portscan.

Sven Veckes s.veckes at ...1190...
Fri Jan 26 02:23:21 EST 2001


At 07:51 26.01.01 +0100, Scott A. McIntyre wrote:
>Hi,
>
>Due to what appears to be a funky interaction with 2.4 and iptables, one
>particular node in question reports a (false) Stealth portscan against
>me whenever it sends SMTP traffic to one of my nodes.  I'd love to be
>able to filter this out, but so far neither a pass rule (for udp or tcp)
>or a preprocessor ignore statement has done the trick.  Is there a
>hidden function that will really, honestly and truly, ignore a
>particular portscan?
>
>Many thanks for any ideas.
>
>Scott
>
>
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>http://lists.sourceforge.net/lists/listinfo/snort-users

Did you use the '-o' switch??
Snort is doing the alerts befor passing the traffic. with this switch you 
can change the order
how it processes the rules. (Please correct me if I'm wrong).
I had the same thing here. For me it seems to work since yesterday.

regards

--
Swen Veckes
Systemadministrator
KDD TELECOMET Deutschland Gmbh
Immermannstrasse 45
D-40210 Düsseldorf
Germany
Tel.: +49 (211) 936 98 - 518
Fax.: +49 (211) 936 98 - 50
E-Mail: mailto:s.veckes at ...1190...






More information about the Snort-users mailing list