Snort mailing list archives
Re: portscan-ignorehosts for portscan2? (was Re: Portscan from self?)
From: Erek Adams <erek () theadamsfamily net>
Date: Tue, 8 Oct 2002 10:50:40 -0700 (PDT)
On Tue, 8 Oct 2002, Bennett Todd wrote:
Would that I did. I don't see that in my snort.conf, nor anywhere else in my (1.9.0) snort rules. What's more, I'm having trouble tuning portscan2; it doesn't seem to be honoring portscan-ignorehosts. The easiest way I've found to tune it down for false-positives on legit servers is to use BPF to completely blind snort to those servers. This seems suboptimal to me.
portscan2 uses portscan2-ignorehosts instead of portscan-ignorehosts. As for the BPF, if you really dink with the filters, you can get very specific on what packets to ignore. Flags, type, ports, machines, etc... Dig around the tcpdump man page for a few examples. For more complex thing, you'll need to google for it. Sorry, but I don't have a good link to point you at. Anyone? Cheers! ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Portscan from self? Marc Thomas (Oct 08)
- <Possible follow-ups>
- RE: Portscan from self? Miller, Eoin (Oct 08)
- portscan-ignorehosts for portscan2? (was Re: Portscan from self?) Bennett Todd (Oct 08)
- Re: portscan-ignorehosts for portscan2? (was Re: Portscan from self?) Erek Adams (Oct 08)
- portscan-ignorehosts for portscan2? (was Re: Portscan from self?) Bennett Todd (Oct 08)