[Snort-users] Ingoring Hosts

Ayse Ekinci ayse at ...2206...
Sun Nov 11 01:12:02 EST 2001


Although I have an entry to ignore couple of my servers (yp, networking 
monitoring etc) ...:

	portscan-ignorehosts: x.x.x.1/32  x.x.x.2/32

Snort still will not ingore them and I still recieve the following messages
via syslog:

	2 in 0:15:36: my_host snort: [ID 702911 local1.notice]
	spp_portscan: portscan status from x.x.x.1: 5 connections across 1 hosts:
	TCP(2), UDP(3)

	Nov 11 19:59:19 my_host snort: [ID 702911 local1.notice]
	spp_portscan: End of portscan from x.x.x.2: TOTAL time(1s) hosts(1) TCP(0)
	UDP(5)

	2 in 1:00:00: my_host snort: [ID 702911 local1.notice]
	spp_portscan: PORTSCAN DETECTED from x.x.x.3 (THRESHOLD 4 connections
	exceeded in 0 seconds)

Can anyone tell me what have I missed - please.

Regards & thnx in advance
Ayse




More information about the Snort-users mailing list