[Snort-users] sfPortscan IP list ?

Jason Brvenik jasonb at ...1935...
Fri Sep 2 05:38:01 EDT 2005


Not looked at the code but the difference may be that the working 
example is an IP list

{ x.x.x.x/y,x.x.x.x,x.x.x.x,x.x.x.x }

Can you split your one argument into multiple argumments?

If it is a single IP try adding a localhost IP as well.

{ 10.1.1.1/32,127.0.0.2/32 }

T Samp. wrote:
> Very strange....  I have it set up just like that...
> 
> ignore_scanners  {xxx.xxx.xxx.xxx}
> 
> And it again Snort tells me that there is "no argument" to the option....
> I am using 2.4 as well...
> 
> The docs talk about a "Snort IP list" as the argument to ignore_scanners as
> opposed to just CIDR IP address...
> Maybe I am passing the address incorrectly?  Then again it works for you :)
> 
> Thanks for reaching out...
> 
> 
> 
> -----Original Message-----
> From: Lee Clemens [mailto:snort at ...13080...] 
> Sent: Wednesday, August 31, 2005 8:26 PM
> To: 'T Samp.'
> Cc: snort-users at lists.sourceforge.net
> Subject: RE: [Snort-users] sfPortscan IP list ?
> 
> I am using 2.4 and I have ignore_scanners setup like this:
> 
> ignore_scanners { x.x.x.x/y,x.x.x.x,x.x.x.x,x.x.x.x }
> 
> If your HOME_NET is only one IP address, just enter the IP without the
> slash.
> 
> Hope that helps!
> 
> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of T Samp.
> Sent: Wednesday, August 31, 2005 6:16 PM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] sfPortscan IP list ?
> 
> I am experimenting with the sfPortscan module...
> 
> When I utilize the ignore_scanners option, I get a Snort error on
> initialization: "No argument to 'ignore_scanners' config option"
> 
> I have tried  the following:
> 
> ignore_scanners {xxx.xxx.xxx.xxx/32}
> ignore_scanners {$HOME_NET}
> ignore_scanners {[xxx.xxx.xxx.xxx/32]}
> ignore_scanners {[$HOME_NET]}
> 
> I guess I can't figure out the syntax for the IP portion of this option.
> 
> Any nudge in the right direction is greatly appreciated !
> 
> 
> 
> -------------------------------------------------------
> SF.Net email is Sponsored by the Better Software Conference & EXPO September
> 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile &
> Plan-Driven Development * Managing Projects & Teams * Testing & QA Security
> * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 
> 
> 
> 
> -------------------------------------------------------
> SF.Net email is Sponsored by the Better Software Conference & EXPO
> September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
> Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
> Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 




More information about the Snort-users mailing list