[Snort-users] Snort 1.9 problem
ag-snort at ...7149...
Mon Oct 21 20:52:02 EDT 2002
like spp_portscan , spp_portscan2 has 'ignore-hosts; as well....
- 2 cents
hope it helps
Security Admin wrote:
> I updated my snort installation (3 sensors and a central console) to
> 1.9.0 last week. I reviewed the new snort.conffiles and everything
> looks fine. The problem I am having is it is logging portscans to my
> database from IP's which are in my preprocessorportscan ignore-hosts
> list. These ip'sare my external DNS, firewall ip and web proxy
> (needless to say they are chatty). I have turned on the new Portscan2
> preprocessor, and all the alerts from these IP's show as
> (spp_portscan2). Is there some way to exclude IP addresses from the
> Portscan2 preprocessor, assuming of course my assumption is correct
> and this is where these alerts are originating? I was previously
> running 1.8.7 and this wasn't an issue.
> Any input would be greatly appreciated.
The secret to success is to start from scratch and keep on scratching.
More information about the Snort-users