[Snort-users] Problems ignoring a host

Peter Sundstrom peter at ...4950...
Mon Feb 11 18:52:04 EST 2002


----- Original Message -----
From: "Erek Adams" <erek at ...577...>
> On Tue, 12 Feb 2002, Peter Sundstrom wrote:
>
> > I'm trying to ignore alerts triggered by our scanner without any luck.
>
> [...snip...]
>
> > What am I missing?
>
> The fact that the portscan alerts are generated by ssp_portscan.{c,h} and
not
> snort.  Since that's from a pre-processor, pass rules won't help.  Use the
> config file directive "portscan ignorehosts" or use a BPF filter to ignore
> traffic from that host.

I forgot to say that I am using "portscan ignorehosts".  In snort.conf I
have:

var IS_HOSTS 192.168.1.25/32
preprocessor portscan-ignorehosts: $SNMP_HOSTS $IS_HOSTS

Peter





More information about the Snort-users mailing list