[Snort-users] Portscan2-ignorehosts

Schmehl, Paul L pauls at ...6838...
Thu Sep 11 13:08:20 EDT 2003


> -----Original Message-----
> From: zottmann at ...8178... [mailto:zottmann at ...8178...] 
> Sent: Thursday, September 11, 2003 8:41 AM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Portscan2-ignorehosts
> 
> I have seen some e-mail messages talking about the 
> Portscan2-ignorehosts 
> preprocessor, but I can´t find it for download anywhere.... 
> 
> Are they talking about Portscan-ignorehosts instead, or I am missing 
> something? 
> 
You're missing something.  Portscan2 is a new, improved version of the portscan preprocessor.  It's part of the snort install, and you enable or disable it in snort.conf.  The sample conf file has a pretty good explanation of what it does and how it works.

You should only use one or the other - either portscan or portscan2.

Portscan2-ignorehosts is a configuration option that you use in the snort.conf file.  If you have hosts for which you want all portscan alerts to be ignored, you put their IP addresses in the portscan2-ignorehosts list, like this:

preprocessor portscan2-ignorehosts: ip ip ip ip

Paul Schmehl (pauls at ...6838...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/ 




More information about the Snort-users mailing list