[Snort-users] Snort 1.9 problem

Alberto Gonzalez ag-snort at ...7149...
Mon Oct 21 20:52:02 EDT 2002

like spp_portscan , spp_portscan2 has 'ignore-hosts; as well....

- 2 cents

hope it helps

    - Albert

Security Admin wrote:

> I updated my snort installation (3 sensors and a central console) to 
> 1.9.0 last week. I reviewed the new snort.conffiles and everything 
> looks fine. The problem I am having is it is logging portscans to my 
> database from IP's which are in my preprocessorportscan ignore-hosts 
> list. These ip'sare my external DNS, firewall ip and web proxy 
> (needless to say they are chatty). I have turned on the new Portscan2 
> preprocessor, and all the alerts from these IP's show as 
> (spp_portscan2). Is there some way to exclude IP addresses from the 
> Portscan2 preprocessor, assuming of course my assumption is correct 
> and this is where these alerts are originating? I was previously 
> running 1.8.7 and this wasn't an issue.
> Any input would be greatly appreciated.
> Cheers,
> Wayne

The secret to success is to start from scratch and keep on scratching.

More information about the Snort-users mailing list