AW: [Snort-users] pass rule
Sandro.Poppi at ...3316...
Fri Apr 25 03:34:12 EDT 2003
> -> I don't want portscan-ignorehost e.g (18.104.22.168) define cus I
> think then are all ports to this IP ignored!?..
> Do I understand something wrong ??
Maybe a little bit: portscan2-ignorehosts makes snort to ignore PORTSCANS
coming from the given ip#/nets but does not influence any other
preprocessors or signatures in that that all traffic is ignored.
preprocessor portscan2-ignorehosts: 22.214.171.124/32
doesn't generate any portscan alert from 126.96.36.199/32 even when nmap'ing
from that host, but you will e.g. get alerts like ICMP nmap ping which is
OTOH: Using pass rules doesn't influence the portscan2-ignorehosts
preprocessor because pass rules only work for signatures but not for
OTOH2: If you're using BPF filters on the command line you will ignore the
given hosts completely so no alert of any kind will be generated by snort.
More information about the Snort-users