[Snort-users] Snort 1.9 problem
SecurityAdmin at ...7235...
Mon Oct 21 13:18:04 EDT 2002
I updated my snort installation (3 sensors and a central console) to 1.9.0
last week. I reviewed the new snort.conf files and everything looks fine.
The problem I am having is it is logging portscans to my database from IP's
which are in my preprocessor portscan ignore-hosts list. These ip's are my
external DNS, firewall ip and web proxy (needless to say they are chatty). I
have turned on the new Portscan2 preprocessor, and all the alerts from these
IP's show as (spp_portscan2). Is there some way to exclude IP addresses from
the Portscan2 preprocessor, assuming of course my assumption is correct and
this is where these alerts are originating? I was previously running 1.8.7
and this wasn't an issue.
Any input would be greatly appreciated.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users