Re: sfPortscan IP list ?

[Jason Brvenik <jasonb () sourcefire com>]

Not looked at the code but the difference may be that the working 
example is an IP list

{ x.x.x.x/y,x.x.x.x,x.x.x.x,x.x.x.x }

Can you split your one argument into multiple argumments?

If it is a single IP try adding a localhost IP as well.

{ 10.1.1.1/32,127.0.0.2/32 }

T Samp. wrote:
> Very strange....  I have it set up just like that...
>
> ignore_scanners  {xxx.xxx.xxx.xxx}
>
> And it again Snort tells me that there is "no argument" to the option....
> I am using 2.4 as well...
>
> The docs talk about a "Snort IP list" as the argument to ignore_scanners as
> opposed to just CIDR IP address...
> Maybe I am passing the address incorrectly?  Then again it works for you :)
>
> Thanks for reaching out...
>
>
>
> -----Original Message-----
> From: Lee Clemens [mailto:snort () leeclemens net] 
> Sent: Wednesday, August 31, 2005 8:26 PM
> To: 'T Samp.'
> Cc: snort-users () lists sourceforge net
> Subject: RE: [Snort-users] sfPortscan IP list ?
>
> I am using 2.4 and I have ignore_scanners setup like this:
>
> ignore_scanners { x.x.x.x/y,x.x.x.x,x.x.x.x,x.x.x.x }
>
> If your HOME_NET is only one IP address, just enter the IP without the
> slash.
>
> Hope that helps!
>
> -----Original Message-----
> From: snort-users-admin () lists sourceforge net
> [mailto:snort-users-admin () lists sourceforge net] On Behalf Of T Samp.
> Sent: Wednesday, August 31, 2005 6:16 PM
> To: snort-users () lists sourceforge net
> Subject: [Snort-users] sfPortscan IP list ?
>
> I am experimenting with the sfPortscan module...
>
> When I utilize the ignore_scanners option, I get a Snort error on
> initialization: "No argument to 'ignore_scanners' config option"
>
> I have tried  the following:
>
> ignore_scanners {xxx.xxx.xxx.xxx/32}
> ignore_scanners {$HOME_NET}
> ignore_scanners {[xxx.xxx.xxx.xxx/32]}
> ignore_scanners {[$HOME_NET]}
>
> I guess I can't figure out the syntax for the IP portion of this option.
>
> Any nudge in the right direction is greatly appreciated !
>
>
>
> -------------------------------------------------------
> SF.Net email is Sponsored by the Better Software Conference & EXPO September
> 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile &
> Plan-Driven Development * Managing Projects & Teams * Testing & QA Security
> * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
>
>
> -------------------------------------------------------
> SF.Net email is Sponsored by the Better Software Conference & EXPO
> September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
> Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
> Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users