[Snort-users] portscan-ignore

Vinay A. Mahadik VAMahadik at ...6245...
Tue Aug 6 11:12:03 EDT 2002

Fred Portnoy wrote:
> Snorters:
> Does the portscan-ignore feature . . .
> "preprocessor portscan-ignorehosts: $DNS_SERVERS"
> ... apply to either the source or destination addresses in the detected
> scan, or only the source addresses? Can I get it to not report on what
> Snort thinks are scans to port 53 of my dns servers? I am currently
> running 1.8.3.

I don't think the portscan preprocessor can ignore Destination IPs at
the moment. The ignorehosts spec matches Sources and not destinations,
so that shouldn't be able to solve your problem. Perhaps a highly
specific BPF?...

Vinay A. Mahadik
Summer Intern
Computer Protection Program
Lawrence Berkeley National Laboratory
(510) 495 2618

More information about the Snort-users mailing list