Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Ingoring Hosts

From: Erek Adams <erek () theadamsfamily net>
Date: Sun, 11 Nov 2001 11:09:36 -0800 (PST)
On Sun, 11 Nov 2001, Ayse Ekinci wrote:



Although I have an entry to ignore couple of my servers (yp, networking
monitoring etc) ...:

      portscan-ignorehosts: x.x.x.1/32  x.x.x.2/32

Snort still will not ingore them and I still recieve the following messages
via syslog:

      2 in 0:15:36: my_host snort: [ID 702911 local1.notice]
      spp_portscan: portscan status from x.x.x.1: 5 connections across 1 hosts:
      TCP(2), UDP(3)

      Nov 11 19:59:19 my_host snort: [ID 702911 local1.notice]
      spp_portscan: End of portscan from x.x.x.2: TOTAL time(1s) hosts(1) TCP(0)
      UDP(5)

      2 in 1:00:00: my_host snort: [ID 702911 local1.notice]
      spp_portscan: PORTSCAN DETECTED from x.x.x.3 (THRESHOLD 4 connections
      exceeded in 0 seconds)

Can anyone tell me what have I missed - please.


Try this:

         portscan-ignorehosts: [x.x.x.1/32,x.x.x.2/32]

This snippet from the snort.conf file gives you some more info about it...

---
# You can specify lists of IP addresses for HOME_NET
# by separating the IPs with commas like this:
#
# var HOME_NET [10.1.1.0/24,192.168.1.0/24]
#
# MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST!
---

That should get you fixed up.

Hope that helps!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: