[Snort-users] ignoring udp scans
neil at ...1633...
Fri May 4 10:41:58 EDT 2001
"Sid" <s_i_d_j at ...131...> wrote asking:
>How do i ignore udp portscans in the portscan preprocessor? Ofcourse, i am
>referring to the DNS traffic.
Near the top of your snort configuration file, you will find a line which
starts like this:
It is probably commented out. Uncomment it, and list the IP addresses of
the DNS servers you wish to ignore following the colon and separated by
preprocessor portscan-ignorehosts: 111.222.333.444 555.666.777.888
Then save the changes and reset Snort.
Neil Dickey, Ph.D.
Northern Illinois University
More information about the Snort-users