[Snort-users] Question regarding sfportscan

Jeremy Hewlett jh at ...1935...
Fri Jan 7 12:49:04 EST 2005


On Wed, Dec 29, J-H Johansen wrote:
> ignore_scanners { [$PROXY_SERVERS,$MAIL_SERVERS] } \
> 
> The $PROXY_SERVERS variable is built out of two other variables ($X and $Y).
> The problem is that when I run a check on the config the "Portscan
> Detection Config" only lists the IPs in the first variable ($X).

How do you have your variables set up? sfPortscan only handles lists
of IPs, not "lists of lists."

So, if you have:
var X_IP [192.168.0.1]
var Y_IP [192.168.0.2]
var PROXY_SERVERS [$X_IP,$Y_IP]
var MAIL_SERVERS [10.0.1.1,10.0.1.2]
ignore_scanners { [$PROXY_SERVERS,$MAIL_SERVERS] }

This expands to:
ignore_scanners { [[[192.168.0.1],[192.168.0.2]],[10.0.1.1,10.0.1.2]] }

Once we hit the first ']' we are done, so the scanner only uses X_IP.
However, if you write your server IPs this way:

var X_IP 192.168.0.1
var Y_IP 192.168.0.2
var PROXY_SERVERS $X_IP,$Y_IP
var MAIL_SERVERS 10.0.1.1,10.0.1.2
ignore_scanners { [$PROXY_SERVERS,$MAIL_SERVERS] }

This expands to:
ignore_scanners { [192.168.0.1,192.168.0.2,10.0.1.1,10.0.1.2] }






More information about the Snort-users mailing list