[Snort-users] portscan-ignorehosts question

Erek Adams erek at ...577...
Wed Jun 5 22:11:05 EDT 2002


On Fri, 5 Jun 1998, Scot Scot wrote:

> Try this:
>
> [xxx.xxx.xxx.xxx/xx,xxx.xxx.xxx.xxx/xx]  <-- You can add multiple IP's by
> using this format.

Actually, the format is not quite that.  The format breaks down to:
<ip>/<cidr> <ip>/<cidr>

spp_portcan is the oldest pre-processor, and there've been a lot of changes in
the spp_ system since it was built.  One those happens to be the parsing of
arguments for the spp_ system...  :-)  spp_portscan ignorehosts should be in a
white space delimted format.

Such as:
	10.10.10.10/32 10.10.10.11/32

One thing to keep in mind--Things will change rather soon.  :)  Keep your eyes
peeled!  :-)

Cheers!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net





More information about the Snort-users mailing list