[Snort-users] Ingoring Hosts

Erek Adams erek at ...577...
Sun Nov 11 11:10:02 EST 2001


On Sun, 11 Nov 2001, Ayse Ekinci wrote:

>
> Although I have an entry to ignore couple of my servers (yp, networking
> monitoring etc) ...:
>
> 	portscan-ignorehosts: x.x.x.1/32  x.x.x.2/32
>
> Snort still will not ingore them and I still recieve the following messages
> via syslog:
>
> 	2 in 0:15:36: my_host snort: [ID 702911 local1.notice]
> 	spp_portscan: portscan status from x.x.x.1: 5 connections across 1 hosts:
> 	TCP(2), UDP(3)
>
> 	Nov 11 19:59:19 my_host snort: [ID 702911 local1.notice]
> 	spp_portscan: End of portscan from x.x.x.2: TOTAL time(1s) hosts(1) TCP(0)
> 	UDP(5)
>
> 	2 in 1:00:00: my_host snort: [ID 702911 local1.notice]
> 	spp_portscan: PORTSCAN DETECTED from x.x.x.3 (THRESHOLD 4 connections
> 	exceeded in 0 seconds)
>
> Can anyone tell me what have I missed - please.

Try this:

	 portscan-ignorehosts: [x.x.x.1/32,x.x.x.2/32]

This snippet from the snort.conf file gives you some more info about it...

---
# You can specify lists of IP addresses for HOME_NET
# by separating the IPs with commas like this:
#
# var HOME_NET [10.1.1.0/24,192.168.1.0/24]
#
# MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST!
---

That should get you fixed up.

Hope that helps!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net





More information about the Snort-users mailing list