[Snort-users] Configuration issue

Brian bmc at ...950...
Sun Sep 23 10:55:03 EDT 2001


Let me just make this one comment...

According to DJDave Sobel:

> var HOME_NET
> [209.190.196.160/28,209.190.206.65/32,209.190.206.66/32,209.190.206.64/3
> 2,10.1.0.0/24,10.2.0.0/24]
> 
> var EXTERNAL_NET !$HOME_NET
> var SMTP $HOME_NET
> var SMTP_SERVERS $HOME_NET
> var HTTP_SERVERS $HOME_NET
> var SQL_SERVERS $HOME_NET
> #var DNS_SERVERS [209.190.196.163/32,209.190.196.174/32]
> var DNS_SERVERS $HOME_NET
> preprocessor portscan: $HOME_NET 4 3 portscan.log
> preprocessor portscan-ignorehosts: $DNS_SERVERS

You set DNS_SERVERS to HOME_NET and then ignore HOME_NET in your
portscan-ignorehosts.  Why bother running the portscan preprocessor if
you are not going to watch for portscnas?

-brian




More information about the Snort-users mailing list