[Snort-users] Really, *really* ignore a portscan.

shawn . moyer shawn at ...1184...
Fri Jan 26 03:05:54 EST 2001


Sven Veckes wrote:

> Did you use the '-o' switch??
> Snort is doing the alerts befor passing the traffic. with this switch you
> can change the order
> how it processes the rules. (Please correct me if I'm wrong).
> I had the same thing here. For me it seems to work since yesterday.

I'm wondering whether the portscan preprocessor runs separately from the
standard pass / log / alert ruleset... It would make sense that it
would, IMHO.

This should be an issue to resolve w/ portscan ignore-hosts -- I was
getting something similar on a busy network from my ISP's DNS servers. 

Here's what stopped the portscan alarms in my config:

preprocessor portscan-ignorehosts: X.X.X.X X.X.X.X

Not sure why this wouldn't work in your config, Scott. Syntax?





--shawn

-- 
s h a w n   m o y e r
shawn at ...1184...




More information about the Snort-users mailing list