[Snort-users] Help with pass rule

francisv at ...6732... francisv at ...6732...
Wed Aug 28 00:05:03 EDT 2002


I have the following line:

	preprocessor portscan-ignorehosts: $HOME_NET

in my snort.conf file. Is portscan-ignorehosts directly related to scan
attempts?

-----Original Message-----
From: Erek Adams [mailto:erek at ...577...] 
Sent: Wednesday, August 28, 2002 2:58 PM
To: francisv at ...6732...
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Help with pass rule

On Wed, 28 Aug 2002 francisv at ...6732... wrote:

[...good info snipped...]

> The idea is to ignore traffic coming from the $SERVER_NET block going out
> and ignore scan attempts from outside going inside $HOME_NET. The problem
is
> I still see alerts for scan proxy attempts from outside. This is how I run
> snort:
>
> 	/usr/local/bin/snort -Dko -c /usr/local/etc/snort.conf

Welcome to the club.  ;)  Snort variables ($HOME_NET) do not get sent to the
pre-processers or the plugins.

If you write a pass rule, it needs to also be in the portscan_ignorehosts so
that the portscan plugin does not see it as a scan.

Hope that helsp!  Cheers!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net




More information about the Snort-users mailing list