[Snort-users] sfPortscan IP list ?

T Samp. tsamp77 at ...549...
Fri Sep 2 05:54:02 EDT 2005


Folks...  Lee Clemens nailed it for me....

I needed a space around the braces... <Doh!> 40 lashes for me..

Thanks to all again!


 

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Jason Brvenik
Sent: Friday, September 02, 2005 8:37 AM
To: T Samp.
Cc: 'Lee Clemens'; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] sfPortscan IP list ?

Not looked at the code but the difference may be that the working example is
an IP list

{ x.x.x.x/y,x.x.x.x,x.x.x.x,x.x.x.x }

Can you split your one argument into multiple argumments?

If it is a single IP try adding a localhost IP as well.

{ 10.1.1.1/32,127.0.0.2/32 }

T Samp. wrote:
> Very strange....  I have it set up just like that...
> 
> ignore_scanners  {xxx.xxx.xxx.xxx}
> 
> And it again Snort tells me that there is "no argument" to the option....
> I am using 2.4 as well...
> 
> The docs talk about a "Snort IP list" as the argument to 
> ignore_scanners as opposed to just CIDR IP address...
> Maybe I am passing the address incorrectly?  Then again it works for 
> you :)
> 
> Thanks for reaching out...
> 
> 
> 
> -----Original Message-----
> From: Lee Clemens [mailto:snort at ...13080...]
> Sent: Wednesday, August 31, 2005 8:26 PM
> To: 'T Samp.'
> Cc: snort-users at lists.sourceforge.net
> Subject: RE: [Snort-users] sfPortscan IP list ?
> 
> I am using 2.4 and I have ignore_scanners setup like this:
> 
> ignore_scanners { x.x.x.x/y,x.x.x.x,x.x.x.x,x.x.x.x }
> 
> If your HOME_NET is only one IP address, just enter the IP without the 
> slash.
> 
> Hope that helps!
> 
> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of T Samp.
> Sent: Wednesday, August 31, 2005 6:16 PM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] sfPortscan IP list ?
> 
> I am experimenting with the sfPortscan module...
> 
> When I utilize the ignore_scanners option, I get a Snort error on
> initialization: "No argument to 'ignore_scanners' config option"
> 
> I have tried  the following:
> 
> ignore_scanners {xxx.xxx.xxx.xxx/32}
> ignore_scanners {$HOME_NET}
> ignore_scanners {[xxx.xxx.xxx.xxx/32]} ignore_scanners {[$HOME_NET]}
> 
> I guess I can't figure out the syntax for the IP portion of this option.
> 
> Any nudge in the right direction is greatly appreciated !
> 
> 
> 
> -------------------------------------------------------
> SF.Net email is Sponsored by the Better Software Conference & EXPO 
> September 19-22, 2005 * San Francisco, CA * Development Lifecycle 
> Practices Agile & Plan-Driven Development * Managing Projects & Teams 
> * Testing & QA Security
> * Process Improvement & Measurement * http://www.sqe.com/bsce5sf 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 
> 
> 
> 
> -------------------------------------------------------
> SF.Net email is Sponsored by the Better Software Conference & EXPO 
> September 19-22, 2005 * San Francisco, CA * Development Lifecycle 
> Practices Agile & Plan-Driven Development * Managing Projects & Teams 
> * Testing & QA Security * Process Improvement & Measurement * 
> http://www.sqe.com/bsce5sf 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 


-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO September
19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile &
Plan-Driven Development * Managing Projects & Teams * Testing & QA Security
* Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list