No subject


Thu Nov 23 16:36:19 EST 2017


variable.  This variable is used more in rules than anything else.  If you'll
look at the way you pass switches or parameters to plugins you'll notice that
they all have statements in the .conf like 'portscan2-ignorehosts'.  That's
what they seem to look for when they are registered with Snort.

I'd suggest setting something like 'portscan2-ignorehosts: $HOME_NET'.  Since
variable substitution is handled when the .conf is read, the statement passed
into ps2 is 'portscan2-ignorehosts: 192.168.0.0/24'.

If you don't want to put the whole HOME_NET in there, just add the single
box(es) that is/are giving you issues.

Hope that helps!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net





More information about the Snort-users mailing list