[Snort-users] Ingoring Hosts
erek at ...577...
Sun Nov 11 11:10:02 EST 2001
On Sun, 11 Nov 2001, Ayse Ekinci wrote:
> Although I have an entry to ignore couple of my servers (yp, networking
> monitoring etc) ...:
> portscan-ignorehosts: x.x.x.1/32 x.x.x.2/32
> Snort still will not ingore them and I still recieve the following messages
> via syslog:
> 2 in 0:15:36: my_host snort: [ID 702911 local1.notice]
> spp_portscan: portscan status from x.x.x.1: 5 connections across 1 hosts:
> TCP(2), UDP(3)
> Nov 11 19:59:19 my_host snort: [ID 702911 local1.notice]
> spp_portscan: End of portscan from x.x.x.2: TOTAL time(1s) hosts(1) TCP(0)
> 2 in 1:00:00: my_host snort: [ID 702911 local1.notice]
> spp_portscan: PORTSCAN DETECTED from x.x.x.3 (THRESHOLD 4 connections
> exceeded in 0 seconds)
> Can anyone tell me what have I missed - please.
This snippet from the snort.conf file gives you some more info about it...
# You can specify lists of IP addresses for HOME_NET
# by separating the IPs with commas like this:
# var HOME_NET [10.1.1.0/24,192.168.1.0/24]
# MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST!
That should get you fixed up.
Hope that helps!
More information about the Snort-users