[Snort-users] Ignore scanned not playing nice

Michael Schwartzkopff misch at ...3397...
Tue Jun 27 08:55:58 EDT 2006


Am Dienstag, 27. Juni 2006 14:49 schrieb James Lay:
> Hey all.
>
> Here's what I have in my snort.conf:
>
> preprocessor sfportscan: proto  { all } \
>                          memcap { 10000000 } \
>                          sense_level { low } \
>                          ignore_scanners { 192.168.0.3 192.168.0.2 }
>
> Yet here is what I get constantly:
>
> Jun 27 06:47:06 myshield snort[18799]: [122:3:0] (portscan) TCP
> Portsweep {PROTO255} 192.168.0.2 -> 208.184.59.164
>
> Did I miss something in the config?  Thanks people!
>
> James

hi,

in the docsnort manual is written:

5. ignore scanners <ip list>
Ignores the source of scan alerts. ip list can be a comma seperated list of IP 
addresses or IP addresses using CIDR notation.

Try using commas without the space between the adresses.

Hope that helps.

-- 
Dr. Michael Schwartzkopff
MultiNET Services GmbH
Bretonischer Ring 7
85630 Grasbrunn

Tel: (+49 89) 456 911 - 0
Fax: (+49 89) 456 911 - 21
mob: (+49 174) 343 28 75

PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B
Skype: misch42
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20060627/e2f82bb8/attachment.sig>


More information about the Snort-users mailing list