[Snort-users] RE:

Miller, Eoin Miller at ...6968...
Tue Oct 8 10:59:06 EDT 2002


sorry, its something i created myself, i create a variable called
ignore_porscan and then i use that variable to control the portscan
pre-processor

var IGNORE_PORTSCAN [w.x.y.z,w.x.y.z]

preprocessor portscan-ignorehosts: $IGNORE_PORTSCAN 

this works great for me, if its not working for you id review the syntax
of your snort.conf

the easiest way to turn down false positives is by tweaking your
variables, if you dont want to see portscans coming from yourself then
you could do this:

preprocessor portscan-ignorehosts: $HOME_NET

that would ignore your entire home_net variable that you should have
declared.

> -----Original Message-----
> From: 
> Sent: None
> Subject: 
> 
> 
> 2002-10-08-11:30:33 Miller, Eoin:
> > in your snort.conf file you will see this
> > 
> > var IGNORE_PORTSCAN [w.x.y.z,w.x.y.z]
> 
> Would that I did. I don't see that in my snort.conf, nor
> anywhere else in my (1.9.0) snort rules. What's more, I'm
> having trouble tuning portscan2; it doesn't seem to be honoring
> portscan-ignorehosts. The easiest way I've found to tune it down for
> false-positives on legit servers is to use BPF to completely blind
> snort to those servers. This seems suboptimal to me.
> 
> -Bennett
> 




More information about the Snort-users mailing list