[Snort-users] preprocessor portscan-ignorehosts

Frederick B. Henry, Jr. fbhjr at ...9626...
Tue Jul 8 13:16:11 EDT 2003


I am using snort Version 1.9.0 (Build 209), with mysql and ACID v0.9.6b23.

I have the following in my snort.conf:

preprocessor portscan-ignorehosts: $DNS_SERVERS

The problem is that I still get a ton of false positive scan alerts from
said IP.

I also have:

preprocessor portscan2: scanners_max 1000, targets_max 1000, target_limit
5, port_limit 20, timeout 60

I would like to not see any scan alerts from said IP in my ACID console.
What am I doing wrong?



More information about the Snort-users mailing list