How do I ignore portscans from everything but HOME_NET?

[Steve Ochani <jpegny () optonline net>]

Hello all,

First:  thanks to Ryan Hill and Paul Sheahan for replying to my previous mail "Portscanning 
from my network"

I decided to try ignoring machines to solve my problem.

This is what I've done

Set up a separate snort machine just for detecting portscans

(I want to monitor any portscans *from* a few servers)

set my home net as

HOME_NET [192.168.12.245/32,192.168.12.8/32,192.168.12.9/32,192.168.13.10/32, 
192.168.14.7]

(not real ips but the servers are over 3 subnets all which i can sniff, I only have control over one 
of the servers this is why I cant set up something on them)

As per the faq i set the preprocessor portscan to

preprocessor portscan: 0.0.0.0/0 5 3 portscan.log

Now as before I was also picking up workstations surfing the web as portscans.

What I want to do is ignore everything but the ips in home_net.

For a test I put the ip of one of the workstations in the 
preprocessor portscan-ignorehosts: and it worked, its web surfing was not showing up as 
portscans. So i tried

preprocessor portscan-ignorehosts: !$HOME_NET

(didn't work)

and ![$HOME_NET]

and snort didn't like this, gave me some error about invalid ip address.

So how can i ignore every machine on the 3 subnets excluding the ones in my home_net?

In the faq there is a mention of "portscan-ignorehosts.rules file directive", can I/how do I use 
this?

If it's a matter of making a list of all the ip addresses I want to ignore I have no problem with 
that.


Thanks for any help







_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users