Snort mailing list archives
portscan2-ignore... ???
From: Michael D Schleif <mds () helices org>
Date: Sat, 16 Aug 2003 00:09:18 -0500
I thought that I found a bug; but, it was silly me misunderstanding, again ;< I get alot of bunk like this: 9 192.168.123.150 216.52.3.11 (spp_portscan2) Portscan detected from 192.168.123.150: 6 targets 6 ports in 13 seconds 8 192.168.123.150 216.52.3.4 (spp_portscan2) Portscan detected from 192.168.123.150: 6 targets 6 ports in 17 seconds 8 192.168.123.150 216.52.3.4 (spp_portscan2) Portscan detected from 192.168.123.150: 6 targets 6 ports in 11 seconds Well, wouldn't you know, 192.168.123.150 is my snort server, as well as serving numerous other tools. So, I want to _ignore_ scans that originate from 192.168.123.150 ; at which point I found this: portscan2-ignoreports-from Clearly, I didn't read that label rigorously enough, nor did I find any documentation about it, and happily assumed -- erroneously -- that it was solution to my challenge ;> Of course, it (and its sister: portscan2-ignoreports-to) take only tcp/udp ports as arguments, and I am back to square one ;< Yes, I recognize this: portscan2-ignorehosts However, doesn't that one ignore the host(s), both as source and destination? What if I want to ignore spp_portscan2 *only* originating from 192.168.123.150? Suppose that I am very interested in any scans where 192.168.123.150 is the destination/subject of that scan? What do you think? -- Best Regards, mds - Dare to fix things before they break . . . - Our capacity for understanding is inversely proportional to how much we think we know. The more I know, the more I know I don't know . . . --
Attachment:
_bin
Description:
Current thread:
- portscan2-ignore... ??? Michael D Schleif (Aug 15)
- Re: portscan2-ignore... ??? Michael D Schleif (Aug 16)
- Re: portscan2-ignore... ??? Erek Adams (Aug 17)
- Re: portscan2-ignore... ??? Michael D Schleif (Aug 17)
- Re: portscan2-ignore... ??? Michael D Schleif (Aug 18)
- Re: portscan2-ignore... ??? Erek Adams (Aug 18)
- Re: portscan2-ignore... ??? Michael D Schleif (Aug 18)
- Re: portscan2-ignore... ??? Erek Adams (Aug 19)
- Re: portscan2-ignore... ??? Erek Adams (Aug 17)
- Re: portscan2-ignore... ??? Michael D Schleif (Aug 16)
- Re: portscan2-ignore... ??? Erek Adams (Aug 18)
- Re: portscan2-ignore... ??? Michael D Schleif (Aug 18)