[Snort-users] Help with pass rule

Erek Adams erek at ...577...
Wed Aug 28 10:15:02 EDT 2002

On Wed, 28 Aug 2002 francisv at ...6732... wrote:

> I have the following line:
> 	preprocessor portscan-ignorehosts: $HOME_NET
> in my snort.conf file. Is portscan-ignorehosts directly related to scan
> attempts?

Yes.  It's part of the portscan preprocessor.  It tells the plugin what IP's
to ignore 'scans' from.  The logic of portscan is something like "If you see
over X connections to a port or multiple ports in Y seconds, then it's a
portscan."  DNS servers can set it off if it's not setup right.

You may want to change your HOME_NET and EXTERNAL_NET values, depending on how
you see your network.  If SERVER_NET is also HOME_NET then I would define
EXTERNAL_NET as !$HOME_NET.  That would set it to every IP except your


Erek Adams

More information about the Snort-users mailing list