Snort mailing list archives
Re: Question regarding sfportscan
From: Jeremy Hewlett <jh () sourcefire com>
Date: Fri, 7 Jan 2005 15:45:30 -0500
On Wed, Dec 29, J-H Johansen wrote:
ignore_scanners { [$PROXY_SERVERS,$MAIL_SERVERS] } \ The $PROXY_SERVERS variable is built out of two other variables ($X and $Y). The problem is that when I run a check on the config the "Portscan Detection Config" only lists the IPs in the first variable ($X).
How do you have your variables set up? sfPortscan only handles lists of IPs, not "lists of lists." So, if you have: var X_IP [192.168.0.1] var Y_IP [192.168.0.2] var PROXY_SERVERS [$X_IP,$Y_IP] var MAIL_SERVERS [10.0.1.1,10.0.1.2] ignore_scanners { [$PROXY_SERVERS,$MAIL_SERVERS] } This expands to: ignore_scanners { [[[192.168.0.1],[192.168.0.2]],[10.0.1.1,10.0.1.2]] } Once we hit the first ']' we are done, so the scanner only uses X_IP. However, if you write your server IPs this way: var X_IP 192.168.0.1 var Y_IP 192.168.0.2 var PROXY_SERVERS $X_IP,$Y_IP var MAIL_SERVERS 10.0.1.1,10.0.1.2 ignore_scanners { [$PROXY_SERVERS,$MAIL_SERVERS] } This expands to: ignore_scanners { [192.168.0.1,192.168.0.2,10.0.1.1,10.0.1.2] } ------------------------------------------------------- The SF.Net email is sponsored by: Beat the post-holiday blues Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek. It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Question regarding sfportscan Jeremy Hewlett (Jan 07)
- Re: Question regarding sfportscan J-H Johansen (Jan 07)