[Snort-users] preprocessor portscan-ignorehosts

Frederick B. Henry, Jr. fbhjr at ...9626...
Tue Jul 8 13:16:11 EDT 2003


Greetings,

I am using snort Version 1.9.0 (Build 209), with mysql and ACID v0.9.6b23.

I have the following in my snort.conf:

preprocessor portscan-ignorehosts: $DNS_SERVERS 209.248.79.90/32

The problem is that I still get a ton of false positive scan alerts from
said IP.

I also have:

preprocessor portscan2: scanners_max 1000, targets_max 1000, target_limit
5, port_limit 20, timeout 60

I would like to not see any scan alerts from said IP in my ACID console.
What am I doing wrong?

Best,

Fred





More information about the Snort-users mailing list