[Snort-users] suppress 'open port' on well-known services

Jeremy Hewlett jh at ...1935...
Wed Feb 23 12:58:07 EST 2005


On Wed, Feb 23, Roy Kidder wrote:
> Can I write suppression statements based not only on gen_id, sig_id, and
> src/dst ip, but also include tcp or udp port? Or am I approaching this the
> wrong way?

Currently a user can only ignore by Scanned host or by Scanning host
with sfPortscan.  The optimal way to do this would be to add ignores
for port+IP. This is currently under development/testing - hoping to
get this out soon.





More information about the Snort-users mailing list