[Snort-users] Really, *really* ignore a portscan.

Sven Veckes s.veckes at ...1190...
Fri Jan 26 03:57:55 EST 2001


At 02:05 26.01.01 -0600, shawn . moyer wrote:
>Sven Veckes wrote:
>
> > Did you use the '-o' switch??
> > Snort is doing the alerts befor passing the traffic. with this switch you
> > can change the order
> > how it processes the rules. (Please correct me if I'm wrong).
> > I had the same thing here. For me it seems to work since yesterday.
>
>I'm wondering whether the portscan preprocessor runs separately from the
>standard pass / log / alert ruleset... It would make sense that it
>would, IMHO.
>
>This should be an issue to resolve w/ portscan ignore-hosts -- I was
>getting something similar on a busy network from my ISP's DNS servers.
>
>Here's what stopped the portscan alarms in my config:
>
>preprocessor portscan-ignorehosts: X.X.X.X X.X.X.X
>
>Not sure why this wouldn't work in your config, Scott. Syntax?
I'm using this:
var DNS_SERVERS [10.1.0.0/16]
preprocessor portscan-ignorehosts: $DNS_SERVERS
and it seems to work. For portscans.


--
Swen Veckes
Systemadministrator
KDD TELECOMET Deutschland Gmbh
Immermannstrasse 45
D-40210 Düsseldorf
Germany
Tel.: +49 (211) 936 98 - 518
Fax.: +49 (211) 936 98 - 50
E-Mail: mailto:s.veckes at ...1190...






More information about the Snort-users mailing list