Snort mailing list archives

Previous By Date Next
Previous By Thread Next

AW: pass rule

From: "Poppi, Sandro" <Sandro.Poppi () wacker com>
Date: Fri, 25 Apr 2003 12:33:17 +0200
Hi Björn,

[snip]


-> I don't want portscan-ignorehost e.g (212.8.128.120) define cus I
think then are all ports to this IP ignored!?..

Do I understand something wrong ?? 


Maybe a little bit: portscan2-ignorehosts makes snort to ignore PORTSCANS
coming from the given ip#/nets but does not influence any other
preprocessors or signatures in that that all traffic is ignored.

An example:

preprocessor portscan2-ignorehosts: 212.8.128.114/32

doesn't generate any portscan alert from 212.8.128.114/32 even when nmap'ing
from that host, but you will e.g. get alerts like ICMP nmap ping which is
signature based.

OTOH: Using pass rules doesn't influence the portscan2-ignorehosts
preprocessor because pass rules only work for signatures but not for
preprocessors.

OTOH2: If you're using BPF filters on the command line you will ignore the
given hosts completely so no alert of any kind will be generated by snort.

HTH,
Sandro


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: