[Snort-users] portscan-ignore

Vinay A. Mahadik VAMahadik at ...6245...
Tue Aug 6 11:12:03 EDT 2002


Fred Portnoy wrote:
> 
> Snorters:
> 
> Does the portscan-ignore feature . . .
> "preprocessor portscan-ignorehosts: $DNS_SERVERS"
> ... apply to either the source or destination addresses in the detected
> scan, or only the source addresses? Can I get it to not report on what
> Snort thinks are scans to port 53 of my dns servers? I am currently
> running 1.8.3.
> 

I don't think the portscan preprocessor can ignore Destination IPs at
the moment. The ignorehosts spec matches Sources and not destinations,
so that shouldn't be able to solve your problem. Perhaps a highly
specific BPF?...

--
Vinay A. Mahadik
Summer Intern
Computer Protection Program
Lawrence Berkeley National Laboratory
(510) 495 2618




More information about the Snort-users mailing list