[Snort-users] Help with pass rule
erek at ...577...
Wed Aug 28 10:15:02 EDT 2002
On Wed, 28 Aug 2002 francisv at ...6732... wrote:
> I have the following line:
> preprocessor portscan-ignorehosts: $HOME_NET
> in my snort.conf file. Is portscan-ignorehosts directly related to scan
Yes. It's part of the portscan preprocessor. It tells the plugin what IP's
to ignore 'scans' from. The logic of portscan is something like "If you see
over X connections to a port or multiple ports in Y seconds, then it's a
portscan." DNS servers can set it off if it's not setup right.
You may want to change your HOME_NET and EXTERNAL_NET values, depending on how
you see your network. If SERVER_NET is also HOME_NET then I would define
EXTERNAL_NET as !$HOME_NET. That would set it to every IP except your
More information about the Snort-users