AW: [Snort-users] pass rule

Poppi, Sandro Sandro.Poppi at ...3316...
Fri Apr 25 03:34:12 EDT 2003

Hi Björn,

> -> I don't want portscan-ignorehost e.g ( define cus I
> think then are all ports to this IP ignored!?..
> Do I understand something wrong ?? 

Maybe a little bit: portscan2-ignorehosts makes snort to ignore PORTSCANS
coming from the given ip#/nets but does not influence any other
preprocessors or signatures in that that all traffic is ignored.

An example:

preprocessor portscan2-ignorehosts:

doesn't generate any portscan alert from even when nmap'ing
from that host, but you will e.g. get alerts like ICMP nmap ping which is
signature based.

OTOH: Using pass rules doesn't influence the portscan2-ignorehosts
preprocessor because pass rules only work for signatures but not for

OTOH2: If you're using BPF filters on the command line you will ignore the
given hosts completely so no alert of any kind will be generated by snort.


More information about the Snort-users mailing list