[Snort-users] ignoring udp scans

Sid s_i_d_j at ...131...
Fri May 4 17:53:03 EDT 2001


I had this line but this is only for my DNS servers, but the portscan
preprocessor logs a lot of DNS talk as portscans. This includes other DNS
servers in the internet hierarchy.

Siddhartha

----- Original Message -----
From: "Neil Dickey" <neil at ...1633...>
To: <snort-users at lists.sourceforge.net>; <s_i_d_j at ...131...>
Sent: Friday, May 04, 2001 8:11 PM
Subject: Re: [Snort-users] ignoring udp scans


>
> "Sid" <s_i_d_j at ...131...> wrote asking:
>
> >How do i ignore udp portscans in the portscan preprocessor? Ofcourse, i
am
> >referring to the DNS traffic.
>
> Near the top of your snort configuration file, you will find a line which
> starts like this:
>
>   preprocessor portscan-ignorehosts:
>
> It is probably commented out.  Uncomment it, and list the IP addresses of
> the DNS servers you wish to ignore following the colon and separated by
> spaces:
>
>   preprocessor portscan-ignorehosts: 111.222.333.444 555.666.777.888
>
> Then save the changes and reset Snort.
>
> Best regards,
>
> Neil Dickey, Ph.D.
> Research Associate/Sysop
> Geology Department
> Northern Illinois University
> DeKalb, Illinois
> 60115
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com





More information about the Snort-users mailing list