Snort mailing list archives
RE: How do I ignore portscans from everything but H OME_NET?
From: "Slighter, Tim" <tslighter () itc nrcs usda gov>
Date: Wed, 10 Apr 2002 10:24:53 -0600
If you already got your answer then never mind this reply. Otherwise, I have accomplished this task by doing the following: preprocessor portscan-ignorehosts: !192.168.1.0/24,10.0.0.0/8 With no spaces this should work. or in your case: preprocessor portscan-ignorehosts: !192.168.12.245/32,192.168.12.8/32,192.168.12.9/32,192.168.13.10/32, 192.168.14.7 -----Original Message----- From: Steve Ochani [mailto:jpegny () optonline net] Sent: Wednesday, April 10, 2002 8:06 AM To: snort-users () lists sourceforge net Subject: [Snort-users] How do I ignore portscans from everything but HOME_NET? Hello all, First: thanks to Ryan Hill and Paul Sheahan for replying to my previous mail "Portscanning from my network" I decided to try ignoring machines to solve my problem. This is what I've done Set up a separate snort machine just for detecting portscans (I want to monitor any portscans *from* a few servers) set my home net as HOME_NET [192.168.12.245/32,192.168.12.8/32,192.168.12.9/32,192.168.13.10/32, 192.168.14.7] (not real ips but the servers are over 3 subnets all which i can sniff, I only have control over one of the servers this is why I cant set up something on them) As per the faq i set the preprocessor portscan to preprocessor portscan: 0.0.0.0/0 5 3 portscan.log Now as before I was also picking up workstations surfing the web as portscans. What I want to do is ignore everything but the ips in home_net. For a test I put the ip of one of the workstations in the preprocessor portscan-ignorehosts: and it worked, its web surfing was not showing up as portscans. So i tried preprocessor portscan-ignorehosts: !$HOME_NET (didn't work) and ![$HOME_NET] and snort didn't like this, gave me some error about invalid ip address. So how can i ignore every machine on the 3 subnets excluding the ones in my home_net? In the faq there is a mention of "portscan-ignorehosts.rules file directive", can I/how do I use this? If it's a matter of making a list of all the ip addresses I want to ignore I have no problem with that. Thanks for any help _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: How do I ignore portscans from everything but H OME_NET? Slighter, Tim (Apr 10)
- RE: How do I ignore portscans from everything but HOME_NET? Steve Ochani (Apr 10)
- RE: How do I ignore portscans from everything but HOME_NET? Steve Ochani (Apr 10)
- RE: How do I ignore portscans from everything but HOME_NET? Erek Adams (Apr 10)
- RE: How do I ignore portscans from everything but HOME_NET? Steve Ochani (Apr 10)
- RE: How do I ignore portscans from everything but HOME_NET? Steve Ochani (Apr 10)