Snort mailing list archives
AW: pass rule
From: "Poppi, Sandro" <Sandro.Poppi () wacker com>
Date: Fri, 25 Apr 2003 12:33:17 +0200
Hi Björn, [snip]
-> I don't want portscan-ignorehost e.g (212.8.128.120) define cus I think then are all ports to this IP ignored!?.. Do I understand something wrong ??
Maybe a little bit: portscan2-ignorehosts makes snort to ignore PORTSCANS coming from the given ip#/nets but does not influence any other preprocessors or signatures in that that all traffic is ignored. An example: preprocessor portscan2-ignorehosts: 212.8.128.114/32 doesn't generate any portscan alert from 212.8.128.114/32 even when nmap'ing from that host, but you will e.g. get alerts like ICMP nmap ping which is signature based. OTOH: Using pass rules doesn't influence the portscan2-ignorehosts preprocessor because pass rules only work for signatures but not for preprocessors. OTOH2: If you're using BPF filters on the command line you will ignore the given hosts completely so no alert of any kind will be generated by snort. HTH, Sandro ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- AW: pass rule Poppi, Sandro (Apr 25)