[Snort-users] Pass rule not working...
mkettler at ...4108...
Thu Jan 23 10:52:08 EST 2003
Actually, *does* that work for you Erek?
I seemed to have to use:
preprocessor portscan2-ignorehosts: $HOME_NET
preprocessor portscan-ignorehosts: $HOME_NET
when using portscan2, and that output looks pretty portscan2-ish to me.
But you are right, if that's output from a preprocessor like portscan2, I
don't think pass rules will change anything. BPF is the way to go for that,
or use the portscan2-ignorehosts bit. Or heck, just turn off portscan2
entirely (preferably replacing it with something else that works better
At 09:08 AM 1/23/2003 -0500, Erek Adams wrote:
> > preprocessor portscan-ignorehosts: $HOME_NET
> > local.rules:
> > pass tcp $HOME_NET any -> $HOME_NET 8001
> > pass tcp $HOME_NET 8001 -> $HOME_NET any
>That works for me, and should work for you. If it doen't (the alerts are
>coming from spp_portscan(2) then you might have to use a BPF filter.
>snort <usual options> "not host <foo> and port 8001"
More information about the Snort-users