Re: Not ignoring DNS servers

[Italo Antonio <imigotto () proteus com br>]

This way you are just ignoring portscans on the dns-servers.
These are alerts from icmp-info.rules, if you want to ignore them you
have to write pass rules, or just comment out this rule from your
icmp-info.rules.

Snort FAQ:

3.7 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: How do I ignore traffic coming from a particular host or hosts?

A: Write pass rules and add the host(s) to the portscan-ignorehosts
list.
   Call Snort with the -o option to activate the pass rules.
   See http://www.snort.org/writing_snort_rules.htm for more
information.


Italo.


Paul Slinski wrote:

> I have snort set up the following way in snort.conf (snort rules from
> snort site):
>
> var DNS_SERVERS [206.191.0.140/32,206.191.0.210/32]
>
> and
>
> preprocessor portscan-ignorehosts: $DNS_SERVERS
>
> Yet snort still reports:
> [**] [1:0:0] ICMP Destination Unreachable (Port Unreachable) [**]
> 09/06-00:02:01.200180 206.191.19.2 -> 206.191.0.210
> ICMP TTL:255 TOS:0xC0 ID:51451 IpLen:20 DgmLen:141
> Type:3 Code:3 DESTINATION UNREACHABLE: PORT UNREACHABLE
> ** ORIGINAL DATAGRAM DUMP:
> 206.191.0.210:53 -> 206.191.19.2:4611
> UDP TTL:253 TOS:0x0 ID:13975 IpLen:20 DgmLen:113
> Len: 93
> ** END OF DUMP
>
> Any ideas?
>
> -Paul
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users