[Snort-users] ignore_scanned on sfportscan

Jesús Gálvez jesuxgalvez at ...11031...
Fri Aug 11 03:41:52 EDT 2006


Hi. I have a lot of falses positivos triggered by the preprocessor sfportscan. All have as destined IP external hosts. So I add the next parameter

ignore_scanned { $EXTERNAL_NET }

but log says that EXTERNAL_NET cannot be used in ignore_scanned. But it´s indeed what I want!

the complete configuration:


preprocessor sfportscan: proto  { all } \
                         memcap { 10000000 } \
                         sense_level { low } \
                         ignore_scanners { $HOME_NET } \
                         ignore_scanned { $EXTERNAL_NET }  <---- this give the error

Thanks.



 		
---------------------------------

LLama Gratis a cualquier PC del Mundo.
Llamadas a fijos y móviles desde 1 céntimo por minuto.
http://es.voice.yahoo.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20060811/e2fe0993/attachment.html>


More information about the Snort-users mailing list