Snort mailing list archives
How do I ignore portscans from everything but HOME_NET?
From: Steve Ochani <jpegny () optonline net>
Date: Wed, 10 Apr 2002 11:05:42 -0400
Hello all, First: thanks to Ryan Hill and Paul Sheahan for replying to my previous mail "Portscanning from my network" I decided to try ignoring machines to solve my problem. This is what I've done Set up a separate snort machine just for detecting portscans (I want to monitor any portscans *from* a few servers) set my home net as HOME_NET [192.168.12.245/32,192.168.12.8/32,192.168.12.9/32,192.168.13.10/32, 192.168.14.7] (not real ips but the servers are over 3 subnets all which i can sniff, I only have control over one of the servers this is why I cant set up something on them) As per the faq i set the preprocessor portscan to preprocessor portscan: 0.0.0.0/0 5 3 portscan.log Now as before I was also picking up workstations surfing the web as portscans. What I want to do is ignore everything but the ips in home_net. For a test I put the ip of one of the workstations in the preprocessor portscan-ignorehosts: and it worked, its web surfing was not showing up as portscans. So i tried preprocessor portscan-ignorehosts: !$HOME_NET (didn't work) and ![$HOME_NET] and snort didn't like this, gave me some error about invalid ip address. So how can i ignore every machine on the 3 subnets excluding the ones in my home_net? In the faq there is a mention of "portscan-ignorehosts.rules file directive", can I/how do I use this? If it's a matter of making a list of all the ip addresses I want to ignore I have no problem with that. Thanks for any help _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- How do I ignore portscans from everything but HOME_NET? Steve Ochani (Apr 10)