[Snort-users] Ignore scanned not playing nice

James Lay jlay at ...13475...
Tue Jun 27 09:14:30 EDT 2006


On Tue, 27 Jun 2006 14:55:58 +0200
Michael Schwartzkopff <misch at ...3397...> wrote:

> Am Dienstag, 27. Juni 2006 14:49 schrieb James Lay:
> > Hey all.
> >
> > Here's what I have in my snort.conf:
> >
> > preprocessor sfportscan: proto  { all } \
> >                          memcap { 10000000 } \
> >                          sense_level { low } \
> >                          ignore_scanners { 192.168.0.3 192.168.0.2 }
> >
> > Yet here is what I get constantly:
> >
> > Jun 27 06:47:06 myshield snort[18799]: [122:3:0] (portscan) TCP
> > Portsweep {PROTO255} 192.168.0.2 -> 208.184.59.164
> >
> > Did I miss something in the config?  Thanks people!
> >
> > James
> 
> hi,
> 
> in the docsnort manual is written:
> 
> 5. ignore scanners <ip list>
> Ignores the source of scan alerts. ip list can be a comma seperated
> list of IP addresses or IP addresses using CIDR notation.
> 
> Try using commas without the space between the adresses.
> 
> Hope that helps.
> 

I'm sure that's the issue...thanks Michael!

James

> -- 
> Dr. Michael Schwartzkopff
> MultiNET Services GmbH
> Bretonischer Ring 7
> 85630 Grasbrunn
> 
> Tel: (+49 89) 456 911 - 0
> Fax: (+49 89) 456 911 - 21
> mob: (+49 174) 343 28 75
> 
> PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B
> Skype: misch42




More information about the Snort-users mailing list