[Snort-users] Help with pass rule
erek at ...577...
Tue Aug 27 23:59:02 EDT 2002
On Wed, 28 Aug 2002 francisv at ...6732... wrote:
[...good info snipped...]
> The idea is to ignore traffic coming from the $SERVER_NET block going out
> and ignore scan attempts from outside going inside $HOME_NET. The problem is
> I still see alerts for scan proxy attempts from outside. This is how I run
> /usr/local/bin/snort -Dko -c /usr/local/etc/snort.conf
Welcome to the club. ;) Snort variables ($HOME_NET) do not get sent to the
pre-processers or the plugins.
If you write a pass rule, it needs to also be in the portscan_ignorehosts so
that the portscan plugin does not see it as a scan.
Hope that helsp! Cheers!
More information about the Snort-users