[Snort-users] Really, *really* ignore a portscan.

roman at ...438... roman at ...438...
Fri Jan 26 09:59:17 EST 2001


The Snort execution sequence is a :

pcap => pre-processor => processor => output facilities

The alert/log/pass order only influences the behavior of the
processor (i.e. the rules).  However, the pre-processor "sees" 
the packet even before the rules engine is applied.  Hence, why
the -o switch has no effect.

Perhaps you can do some host exclusions with BPF?

Roman

> Sven Veckes wrote:
> > > > Did you use the '-o' switch??
> > > > Snort is doing the alerts befor passing the traffic. with this switch you
> > > > can change the order
> 
> > I'm using this:
> > var DNS_SERVERS [10.1.0.0/16]
> > preprocessor portscan-ignorehosts: $DNS_SERVERS
> > and it seems to work. For portscans.
> 
> I don't dispute that what you have above works, in fact it's the same
> setup as what I have. What I'm curious about is whether with the
> portscan preprocessor the '-o' flag has any effect or not. 
> 
> It would seem to me that "preprocessor" implies that this is ran prior
> to processing the ruleset. 
> 
> Again, I don't know for sure, just a hunch...
> 
> 
> 
> --shawn
> 
> -- 
> s h a w n   m o y e r
> shawn at ...1184...
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> 



---------------------------------------------
This message was sent using Voicenet WebMail.
      http://www.voicenet.com/webmail/






More information about the Snort-users mailing list