[Snort-users] No clue?

Matt Kettler mkettler at ...4108...
Tue Nov 15 11:10:02 EST 2005


John Friedman wrote:
> Hi all,
>  
> Since I did not get any reply on this, is there any way to suppress or
> pass this alert?
>  

Suggestion: look at the ignorehosts option for portscan.

Pass definitely will not work. Since pass is a rule, it can only work if the
offending traffic is matching a rule.

You might be able to suppress it, but you'd probably wind up having to suppress
all portscans...

It's generally best to configure your portscan plugins properly in the first
place. Actually, if you're monitoring an internal LAN, you'll probably just want
to turn it off or turn the thresholds way up.




More information about the Snort-users mailing list