[Snort-users] Ignorehosts still not working...

Christopher Robert Cook crcook at ...6518...
Thu Dec 19 10:05:09 EST 2002


try inputting the DNS servers directly into the ignore hosts field (with 
the CIDR notation)


CC

Marc Quibell wrote:

>My snort cmd line is:
> /usr/local/bin/snort -o -q -i eth1  -c /usr/local/demarc/conf/snorteth1.conf
>
>My snorteth1.conf is as follows:
>var HOME_NET any
>var EXTERNAL_NET any
>var SMTP $HOME_NET
>var HTTP_SERVERS $HOME_NET
>var SQL_SERVERS $HOME_NET
>#var DNS_SERVERS $HOME_NET
>var DNS_SERVERS [207.108.40.xx,207.108.40.xxx]
>var HTTP_PORTS 80
>var ORACLE_PORTS 1521
>
>preprocessor defrag
>preprocessor stream2: timeout 10, ports 21 23 80 110 143, maxbytes 16384
>preprocessor unidecode: 80
>preprocessor rpc_decode: 111
>preprocessor bo: -nobrute
>preprocessor telnet_decode
>preprocessor portscan: $HOME_NET 4 3 portscan.log
>preprocessor portscan-ignorehosts: $DNS_SERVERS
>preprocessor stream4: detect_scans, disable_evasion_alerts
>
>output database: log, mysql, user=snort_ike dbname=snortmaster password=ikeacc3s
>s host=192.168.45.111 sensor_name=ike.fbfs.com
>
>
>#BEGIN RULES:
>
>I cannot get it to ignore those two hosts. Suggestions?
>
>THanks.
>
>Marc
>
>
>
>
>-------------------------------------------------------
>This SF.NET email is sponsored by: Geek Gift Procrastinating?
>Get the perfect geek gift now!  Before the Holidays pass you by.
>T H I N K G E E K . C O M      http://www.thinkgeek.com/sf/
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>  
>







More information about the Snort-users mailing list