Snort mailing list archives
Re: portscan2-ignore... ???
From: Erek Adams <erek () snort org>
Date: Sun, 17 Aug 2003 13:56:25 -0400 (EDT)
On Sat, 16 Aug 2003, Michael D Schleif wrote: [...snip...]
Considering the lack of documentation on this preprocessor, I am belaboring this point, because I need to understand the intended behaviour of portscan[2]?
[...snip...] Use only one of the preprocessors, not both. When using the ignorehosts line, that line tells ps2 to ignore that host entirely. It has no effect on the stream4 scan detection. If you want to drop the host in all parts of snort, you'll need to use a BPF filter. You could do something like: snort <options> 'not src host 192.168.123.150' That would ignore all traffic _from_ 192.168.123.150. You can refine that more and use src/dst ports, but that an exercise for the reader. :) For more info on BPF filters, check out the tcpdump man page[0]. Hope that helps! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson [0] It's not responding right now, or I'd have the URL. Goto http://www.tcpdump.org/ and look right near the top of the page. There's a link to the tcpdump man page there. And yes, I'm sure that Google has a billion of them. :) ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- portscan2-ignore... ??? Michael D Schleif (Aug 15)
- Re: portscan2-ignore... ??? Michael D Schleif (Aug 16)
- Re: portscan2-ignore... ??? Erek Adams (Aug 17)
- Re: portscan2-ignore... ??? Michael D Schleif (Aug 17)
- Re: portscan2-ignore... ??? Michael D Schleif (Aug 18)
- Re: portscan2-ignore... ??? Erek Adams (Aug 18)
- Re: portscan2-ignore... ??? Michael D Schleif (Aug 18)
- Re: portscan2-ignore... ??? Erek Adams (Aug 19)
- Re: portscan2-ignore... ??? Erek Adams (Aug 17)
- Re: portscan2-ignore... ??? Michael D Schleif (Aug 16)
- Re: portscan2-ignore... ??? Erek Adams (Aug 18)
- Re: portscan2-ignore... ??? Michael D Schleif (Aug 18)