[Snort-users] ignoring udp scans

Neil Dickey neil at ...1633...
Fri May 4 10:41:58 EDT 2001


"Sid" <s_i_d_j at ...131...> wrote asking:

>How do i ignore udp portscans in the portscan preprocessor? Ofcourse, i am
>referring to the DNS traffic.

Near the top of your snort configuration file, you will find a line which
starts like this:

  preprocessor portscan-ignorehosts:

It is probably commented out.  Uncomment it, and list the IP addresses of
the DNS servers you wish to ignore following the colon and separated by
spaces:

  preprocessor portscan-ignorehosts: 111.222.333.444 555.666.777.888

Then save the changes and reset Snort.

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115




More information about the Snort-users mailing list