[Snort-users] Portscan: ignoreports option

Erek Adams erek at ...577...
Sat Feb 9 14:50:02 EST 2002

On Sat, 9 Feb 2002, Jon Hart wrote:

> That would give me the desired results.  However, that means all traffic to
> port 20 would get ignored, not just when it comes to detecting portscans.

True.  That could pose a problem....

> The way around this would be to run two snort processes -- one without
> spp_portscan, and one with spp_portscan with a BPF filter and
> without any other rules.  This would mean that one snort process would be
> dedicated to detecting all attacks not including portscans, and the
> second's soul purpose would be to detect portscans, but ignoring certain
> ports.
> IMO, this may not be a viable alternative in some installations because of
> the computational overhead required by running yet another snort process.
> Then again, there is only one way to find out.

Depending on the type of hardware you're using and the infamous 'budget
restrictions' you may be able to use two seperate boxes.  :-)  But that could
just be wishful thinking...

Erek Adams

More information about the Snort-users mailing list