Snort mailing list archives
RE: No clue?
From: "Briggs, Bruce" <Bruce.Briggs () suny edu>
Date: Tue, 15 Nov 2005 16:38:07 -0500
Did you comment out the lines following the preprocessor sfportscan line? memcap { 10000000 } \ sense_level { low } A few lines about preprocessor sfportscan is a description of ignore_scanners Bruce -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of John Friedman Sent: Tuesday, November 15, 2005 2:47 PM To: snort Subject: Re: [Snort-users] No clue? Thank you for your reply. If I comment out # preprocessor sfportscan: the snort service can not be started. Also, what's the syntax to ignore this host from sf portscan? Thansk for your help, John --- Matt Kettler <mkettler () evi-inc com> wrote:
John Friedman wrote:Hi all, Since I did not get any reply on this, is thereany way to suppress orpass this alert?Suggestion: look at the ignorehosts option for portscan. Pass definitely will not work. Since pass is a rule, it can only work if the offending traffic is matching a rule. You might be able to suppress it, but you'd probably wind up having to suppress all portscans... It's generally best to configure your portscan plugins properly in the first place. Actually, if you're monitoring an internal LAN, you'll probably just want to turn it off or turn the thresholds way up.
__________________________________ Start your day with Yahoo! - Make it your home page! http://www.yahoo.com/r/hs ------------------------------------------------------- This SF.Net email is sponsored by the JBoss Inc. Get Certified Today Register for a JBoss Training Course. Free Certification Exam for All Training Attendees Through End of 2005. For more info visit: http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.Net email is sponsored by the JBoss Inc. Get Certified Today Register for a JBoss Training Course. Free Certification Exam for All Training Attendees Through End of 2005. For more info visit: http://ads.osdn.com/?ad_idv28&alloc_id845&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- No clue? John Friedman (Nov 11)
- <Possible follow-ups>
- RE: No clue? John Friedman (Nov 11)
- RE: No clue? John Friedman (Nov 15)
- Re: No clue? Matt Kettler (Nov 15)
- Re: No clue? John Friedman (Nov 15)
- RE: No clue? John Friedman (Nov 15)
- RE: No clue? John Friedman (Nov 15)
- RE: No clue? Briggs, Bruce (Nov 15)
- RE: No clue? John Friedman (Nov 15)
- Re: No clue? Joel Esler (Nov 15)
- RE: No clue? John Friedman (Nov 15)
- Re: No clue? John Friedman (Nov 15)
- Re: No clue? Joel Esler (Nov 15)
- Re: No clue? John Friedman (Nov 16)
- Re: No clue? John Friedman (Nov 16)
- Re: No clue? Eric Maheo (Nov 16)
- Re: No clue? John Friedman (Nov 16)
- Re: No clue? Eric Maheo (Nov 16)