Snort mailing list archives
Re: Problems ignoring a host
From: Erek Adams <erek () theadamsfamily net>
Date: Mon, 11 Feb 2002 19:07:21 -0800 (PST)
On Tue, 12 Feb 2002, Peter Sundstrom wrote:
I forgot to say that I am using "portscan ignorehosts". In snort.conf I have: var IS_HOSTS 192.168.1.25/32 preprocessor portscan-ignorehosts: $SNMP_HOSTS $IS_HOSTS
Ahh... One thing it could be is the way the spp_portscan processes it's ignorehosts config directive. "Back in the day" when there wasn't a real set of standards for pre/post processors, the input from snort.conf was kinda up in the air. You might want to try using one variable instead of two. I'm not sure that the code can handle that. Barring that, a BPF filter might be your best way to go. [...goes to stick his head into the code again...] ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Problems ignoring a host Peter Sundstrom (Feb 11)
- Re: Problems ignoring a host Erek Adams (Feb 11)
- Re: Problems ignoring a host Peter Sundstrom (Feb 11)
- Re: Problems ignoring a host Erek Adams (Feb 11)
- Multiple sensors over WAN Onie Camara (Feb 11)
- Re: Problems ignoring a host Peter Sundstrom (Feb 11)
- <Possible follow-ups>
- RE: Problems ignoring a host Graham, Randy (RAW) (Feb 12)
- Re: Problems ignoring a host Erek Adams (Feb 11)