AW: [Snort-users] pass rule

Poppi, Sandro Sandro.Poppi at ...3316...
Fri Apr 25 03:34:12 EDT 2003


Hi Björn,

[snip]
> 
> -> I don't want portscan-ignorehost e.g (212.8.128.120) define cus I
> think then are all ports to this IP ignored!?..
> 
> Do I understand something wrong ?? 

Maybe a little bit: portscan2-ignorehosts makes snort to ignore PORTSCANS
coming from the given ip#/nets but does not influence any other
preprocessors or signatures in that that all traffic is ignored.

An example:

preprocessor portscan2-ignorehosts: 212.8.128.114/32

doesn't generate any portscan alert from 212.8.128.114/32 even when nmap'ing
from that host, but you will e.g. get alerts like ICMP nmap ping which is
signature based.

OTOH: Using pass rules doesn't influence the portscan2-ignorehosts
preprocessor because pass rules only work for signatures but not for
preprocessors.

OTOH2: If you're using BPF filters on the command line you will ignore the
given hosts completely so no alert of any kind will be generated by snort.

HTH,
Sandro




More information about the Snort-users mailing list