[Snort-users] how do you remove local subnet from scan.rules

Matt Kettler mkettler at ...4108...
Thu Aug 12 10:37:11 EDT 2004


At 08:36 AM 8/12/2004, Mike Dodor wrote:
>I'm looking for help with the proper syntax that will allow me to ingnore 
>scan alerts where the source and destination are the same subnet.
>The logs are getting overwhelmed with ssp_portscan2 alerts from the DC's 
>to our Webmail frontends.
>So I'm looking for a little help in how best to edit the scan.rules so it 
>will ignore any ssp_portscan2's from within the same subnet.

If your problem is spp_portscan2, don't edit scan.rules.. That won't help 
in the slightest, as the two are completely unrelated.

It's like trying to put toner in an inkjet printer.. Yes Toner is used in 
printing, but not in inkjet printers. Inkjets use ink cartridges.

If you want portscan2 to ignore certain hosts, use the 
portscan2-ignorehosts directive.

Either that or ditch portscan2 entirely and use flow_portscan instead. It's 
a bit more configurable, albeit much more confusing.







More information about the Snort-users mailing list