[Snort-users] Ignorehosts, once again

Brandis Jaroslav jaroslav.brandis at ...6982...
Tue Dec 17 07:43:25 EST 2002


> OK, got another implementation of SNort. Now I forgot how I 
> got it to ignore certain SOURCE IPs (such as using the 
> DNS_SERVERS variable. I know there is a syntax issue with 
> this. WHat is the exact way to ignore a host source?
> 
> I currently have:
> var DNS_SERVERS [207.108.40.###,207.108.40.###]
> preprocessor portscan-ignorehosts: $DNS_SERVERS
> 
> THis does not work. I've seen several variations, none of 
> which work: It still gets alerts from these hosts.

I got same problem.  It's problem of config directive order.
Preprocessor ignoreshost must be after Preprocessor portscan
If you are using portscan2 you can use preprocessor
portscan2-ignorehosts: blabla

Use this order:

var DNS_SERVERS [207.108.40.###,207.108.40.###]
preprocessor portscan blablabla
preprocessor portscan-ignorehosts: $DNS_SERVERS




More information about the Snort-users mailing list