Thu Nov 23 16:36:19 EST 2017
about how spp_portscan can't/won't use the format used in DNS_SERVERS.
Here's a snip from Phil Woods email.
2. var DNS_SERVERS [XX.XX.XX.XX/32, YY.YY.YY.YY/32]
***THIS COMMENT ONLY APPLYS to a configuration which has portscan enabled.
Note that portscan code was never re-written to handle the classic
[a.b.c.0/24,q.r.s.t,...] (or negation thereof.)
If you want DNS_SERVERS to be parsed by portscan-ignorehosts preprocessor
you must use a space separated list.
So, without exhausting comprehension of the parsing code in spp_portscan.c
there is no telling what would be ignored or not if DNS_SERVERS is used.
More information about the Snort-users