[Snort-users] Re: spp_portscan2 questions

Bennett Todd bet at ...6163...
Fri Oct 18 10:47:07 EDT 2002


2002-10-18-11:20:21 Pauling:
> Having looked around, I don't see any way for me to tell portscan2 to 
> ignore portscans from certain hosts... does anybody know if there is such 
> a way, and also if there is a way to specify, "Ignore portscans from 
> certain hosts from certain ports" specifially?

To ignore certain hosts, use "preprocessor portscan2-ignorehosts:",
just like the "preprocessor portscan-ignorehosts" that's documented
in the manual and in the snort.conf. portscan2-ignorehosts just
isn't documented yet, is all.

To ignore certain ports at certain hosts, the only approach is to
totally blind snort to all traffic matching that pattern. Say you
want to completely ignore all tcp traffic from 10.1.2.3 to port 456.
This will not only blind portscan2, it'll also blind all the other
rules, but that's the only alternative available today. To do this,
you would use a BPF filter

	'not (src host 10.1.2.3 and ip proto tcp and dst port 456)'

Naturally if the traffic pattern that you want to ignore features a
certain source port instead of a certain dest port, you'd change
"dst port" to "src port" in the above, and so forth. There's a
compact explanation of BPF filter language at the bottom of the
snort man page. You can specify a filter either as the last argument
on the snort commandline, or else by putting it in a file and naming
that file with "-F filterfile" again on the snort commandline.

The quotes I illustrated above would be used on a commandline; they
aren't part of the BPF expression, they're just to protect the
parentheses within the expression from a shell.

-Bennett
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20021018/52301321/attachment.sig>


More information about the Snort-users mailing list