[Snort-users] "preprocessor portscan2-ignorehosts" ignored

Helmut Schneider jumper99 at ...348...
Mon Dec 2 10:47:05 EST 2002


> First, your ignorehosts line has to be *after* the portscan2 line.

It is...

> Second, ignorehosts ignores portscans *from* hosts, like your DNS
> servers.

Thats what I wrote.

> If you are getting 5000+ alerts from people scanning your proxy, then

When my proxy sometimes opens many servers at short time and recieves
many responses snort thinks this is a portscan! :))

> you might consider putting a BPF on snort to ignore your proxy or
> something like that.

BPF?! Blocking ...?

Helmut





More information about the Snort-users mailing list