[Snort-users] Really, *really* ignore a portscan.

shawn . moyer shawn at ...1184...
Fri Jan 26 04:04:44 EST 2001


Sven Veckes wrote:
> > > Did you use the '-o' switch??
> > > Snort is doing the alerts befor passing the traffic. with this switch you
> > > can change the order

> I'm using this:
> var DNS_SERVERS [10.1.0.0/16]
> preprocessor portscan-ignorehosts: $DNS_SERVERS
> and it seems to work. For portscans.

I don't dispute that what you have above works, in fact it's the same
setup as what I have. What I'm curious about is whether with the
portscan preprocessor the '-o' flag has any effect or not. 

It would seem to me that "preprocessor" implies that this is ran prior
to processing the ruleset. 

Again, I don't know for sure, just a hunch...



--shawn

-- 
s h a w n   m o y e r
shawn at ...1184...




More information about the Snort-users mailing list