[Snort-users] AW: (Snort-users) NEWBIE: portscan tuning

sandro.poppi at ...3316... sandro.poppi at ...3316...
Sun Oct 28 22:58:01 EST 2001


Try

var DNS_SERVERS [a.b.c.d/32]

or if you want to put in more, ie. a host and a class c network

var DNS_SERVERS [a.b.c.d/32,w.x.y.z/24]

HTH,
Sandro

> -----Ursprüngliche Nachricht-----
> Von: Legus <eboo at ...2198...> at internet
> Gesendet: Sonntag, 28. Oktober 2001 11:54
> An: snort-users at lists.sourceforge.net at Internet
> Betreff: RE: [Snort-users] NEWBIE: portscan tuning
>
>
> Sorry,
>
> This problem is driving me crazy. Any help? Is my conf setting wrong
> with respect to the portscan?
>
> Please help, thanks.
>
> * eboo at ...2198... (eboo at ...2198...) wrote:
> >
> > Hi all,
> >
> > Sorry if this has been asked before. I've read the manual
> but still am not
> > sure what I am doing wrong.
> >
> > I get portscan alerts from snort when I access the web:
> >
> > [**] [100:1:1] spp_portscan: PORTSCAN DETECTED from a.b.c.d
> > (THRESHOLD 5 connections exceeded in 6 seconds) [**]
> > 10/17-17:14:52.252947
> >
> > /etc/snort/snort.conf:
> >
> > var DNS_SERVERS a.b.c.d
> >
> > preprocessor portscan: $HOME_NET 4 3 portscan.log
> > (i've also tried commenting out the above line, same effect)
> >
> > preprocessor portscan-ignorehosts: $DNS_SERVERS
> >
> >
> > How do I prevent get snort to not report portscans from my
> machine or
> > any network which I specify?
> >
> > Thanks.
> >
> > Eric
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>





More information about the Snort-users mailing list