Snort mailing list archives
RE: preprocessor portscan2-ignorehosts + "WEBTRAFFIC"
From: rellington () assesstech com (Ray Ellington)
Date: Fri, 14 Mar 2003 16:39:55 -0500
Try this: preprocessor portscan2-ignorehosts: $DNS_SERVERS $eth0_ADDRESS Notice the removal of the comma. -Ray -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of mike Hughes Sent: Friday, March 14, 2003 4:03 PM To: bkarnold () cbu edu; snort-users () lists sourceforge net Subject: [Snort-users] preprocessor portscan2-ignorehosts + "WEBTRAFFIC" Hello, I am trying to cut back on my flase alrams i receive. I get a lot of "web traffic" like this in my ACID CONSOLE alerts, after i visit sites like www.MSN.com, etc. I want to try to stop all these alerts soo (192.173.60.183 -BEING my IPADDRESS- eth0_ADDRESS) ######################################################################## #0-(2-1295) [snort] (spp_portscan2) Portscan detected from 192.173.60.183: 6 targets 6 ports in 1186 seconds 2003-03-14 13:08:16 192.173.60.183:53 208.38.45.164:53 UDP #1-(2-1294) [snort] (spp_portscan2) Portscan detected from 208.38.45.177: 1 targets 21 ports in 16 seconds 2003-03-14 12:46:09 208.38.45.177:80 192.173.60.183:3172 TCP #2-(2-1293) [snort] (spp_portscan2) Portscan detected from 192.173.60.183: 6 targets 6 ports in 13 seconds 2003-03-14 12:45:53 192.173.60.183:53 12.47.217.11:53 UDP #3-(2-1292) [snort] (spp_portscan2) Portscan detected from 64.4.8.24: 1 targets 21 ports in 3 seconds 2003-03-14 12:44:33 64.4.8.24:80 192.173.60.183:3121 TCP ######################################################################## So i have "preprocessor portscan2" enables and i added a few things to "preprocessor portscan2-ignorehosts" but they both come back with ERRORS when i start "SNORTD" here is this 2 things that i tryed to add: preprocessor portscan2-ignorehosts: $DNS_SERVERS, $eth0_ADDRESS preprocessor portscan2: scanners_max 3200, targets_max 5000, target_limit 5, port_limit 20, timeout 60 AND: preprocessor portscan2-ignorehosts: [$DNS_SERVERS, $eth0_ADDRESS] Any idea on how to wirte this line properly and or another way to stop all these ALERTS i get. Thanks Mike _________________________________________________________________ The new MSN 8: advanced junk mail protection and 2 months FREE* http://join.msn.com/?page=features/junkmail ------------------------------------------------------- This SF.net email is sponsored by:Crypto Challenge is now open! Get cracking and register here for some mind boggling fun and the chance of winning an Apple iPod: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.net email is sponsored by:Crypto Challenge is now open! Get cracking and register here for some mind boggling fun and the chance of winning an Apple iPod: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- preprocessor portscan2-ignorehosts + "WEBTRAFFIC" mike Hughes (Mar 14)
- RE: preprocessor portscan2-ignorehosts + "WEBTRAFFIC" Ray Ellington (Mar 14)
- <Possible follow-ups>
- RE: preprocessor portscan2-ignorehosts + "WEBTRAFFIC" mike Hughes (Mar 14)
- RE: preprocessor portscan2-ignorehosts + "WEBTRAFFIC" Erek Adams (Mar 15)
- RE: preprocessor portscan2-ignorehosts + "WEBTRAFFIC" mike Hughes (Mar 14)