[Snort-users] Ignorehosts, once again
jaroslav.brandis at ...6982...
Tue Dec 17 07:43:25 EST 2002
> OK, got another implementation of SNort. Now I forgot how I
> got it to ignore certain SOURCE IPs (such as using the
> DNS_SERVERS variable. I know there is a syntax issue with
> this. WHat is the exact way to ignore a host source?
> I currently have:
> var DNS_SERVERS [207.108.40.###,207.108.40.###]
> preprocessor portscan-ignorehosts: $DNS_SERVERS
> THis does not work. I've seen several variations, none of
> which work: It still gets alerts from these hosts.
I got same problem. It's problem of config directive order.
Preprocessor ignoreshost must be after Preprocessor portscan
If you are using portscan2 you can use preprocessor
Use this order:
var DNS_SERVERS [207.108.40.###,207.108.40.###]
preprocessor portscan blablabla
preprocessor portscan-ignorehosts: $DNS_SERVERS
More information about the Snort-users