[Snort-users] portscan target filter ?

Charles Gillet charles at ...8901...
Wed Apr 23 07:41:58 EDT 2003


A combination of ignorehosts and ignoreports-from has cut down on my 
false positives considerably.  Thanks!

It wasn't clear to me how I might go about filing an enhancement 
request.  Can someone point me in the right direction?

-charles

L. Christopher Luther wrote:
> Did you get an answer to your question?  I never say a response on the list.
> If not, other than:  
> 
>   preprocessor portscan2-ignorehosts: 
>   preprocessor portscan2-ignoreports-to:
>   preprocessor portscan2-ignoreports-from:
> 
> and 
> 
>   preprocessor portscan-ignorehosts: 
> 
> I'm not aware of any other mechanism that meets your needs.  Well, except
> BPF filter on the command line.  
> 
> Cheers! 
> 
> -----Original Message-----
> From: Charles Gillet [mailto:charles at ...8901...]
> Sent: Wednesday, April 16, 2003 2:12 PM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] portscan target filter ?
> 
> 
> 
> Hi There,
> 
> I would like to filter out a list of port scan target ip's as well as 
> source ip's.  I don't see an easy way to do this with either of the two 
> portscan preprocessors.  Has anyone come up with a way to do this?  I'm 
> running 2.0.0.
> 
> thanks for any help,
> 
> -charles
> 
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list