[Snort-users] sfPortscan IP list ?
T Samp.
tsamp77 at ...549...
Fri Sep 2 05:54:02 EDT 2005
Folks... Lee Clemens nailed it for me....
I needed a space around the braces... <Doh!> 40 lashes for me..
Thanks to all again!
-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Jason Brvenik
Sent: Friday, September 02, 2005 8:37 AM
To: T Samp.
Cc: 'Lee Clemens'; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] sfPortscan IP list ?
Not looked at the code but the difference may be that the working example is
an IP list
{ x.x.x.x/y,x.x.x.x,x.x.x.x,x.x.x.x }
Can you split your one argument into multiple argumments?
If it is a single IP try adding a localhost IP as well.
{ 10.1.1.1/32,127.0.0.2/32 }
T Samp. wrote:
> Very strange.... I have it set up just like that...
>
> ignore_scanners {xxx.xxx.xxx.xxx}
>
> And it again Snort tells me that there is "no argument" to the option....
> I am using 2.4 as well...
>
> The docs talk about a "Snort IP list" as the argument to
> ignore_scanners as opposed to just CIDR IP address...
> Maybe I am passing the address incorrectly? Then again it works for
> you :)
>
> Thanks for reaching out...
>
>
>
> -----Original Message-----
> From: Lee Clemens [mailto:snort at ...13080...]
> Sent: Wednesday, August 31, 2005 8:26 PM
> To: 'T Samp.'
> Cc: snort-users at lists.sourceforge.net
> Subject: RE: [Snort-users] sfPortscan IP list ?
>
> I am using 2.4 and I have ignore_scanners setup like this:
>
> ignore_scanners { x.x.x.x/y,x.x.x.x,x.x.x.x,x.x.x.x }
>
> If your HOME_NET is only one IP address, just enter the IP without the
> slash.
>
> Hope that helps!
>
> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of T Samp.
> Sent: Wednesday, August 31, 2005 6:16 PM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] sfPortscan IP list ?
>
> I am experimenting with the sfPortscan module...
>
> When I utilize the ignore_scanners option, I get a Snort error on
> initialization: "No argument to 'ignore_scanners' config option"
>
> I have tried the following:
>
> ignore_scanners {xxx.xxx.xxx.xxx/32}
> ignore_scanners {$HOME_NET}
> ignore_scanners {[xxx.xxx.xxx.xxx/32]} ignore_scanners {[$HOME_NET]}
>
> I guess I can't figure out the syntax for the IP portion of this option.
>
> Any nudge in the right direction is greatly appreciated !
>
>
>
> -------------------------------------------------------
> SF.Net email is Sponsored by the Better Software Conference & EXPO
> September 19-22, 2005 * San Francisco, CA * Development Lifecycle
> Practices Agile & Plan-Driven Development * Managing Projects & Teams
> * Testing & QA Security
> * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
>
>
> -------------------------------------------------------
> SF.Net email is Sponsored by the Better Software Conference & EXPO
> September 19-22, 2005 * San Francisco, CA * Development Lifecycle
> Practices Agile & Plan-Driven Development * Managing Projects & Teams
> * Testing & QA Security * Process Improvement & Measurement *
> http://www.sqe.com/bsce5sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO September
19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile &
Plan-Driven Development * Managing Projects & Teams * Testing & QA Security
* Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
More information about the Snort-users
mailing list