Snort mailing list archives
Re: How to ignore scan from a host
From: Erek Adams <erek () theadamsfamily net>
Date: Tue, 16 Apr 2002 15:31:03 -0700 (PDT)
On Tue, 16 Apr 2002, Tony Wong wrote:
how can I ignore a host from scanning?
Multpile ways. Depends on what you really want to do.
Tried putting ip address/subnet mask in here but alert was still logging the host scanning preprocessor portscan-ignorehosts: ip/netmask ICMP PING NMAP [**] [Classification: Attempted Information Leak] [Priority: 2] {ICMP}
These two things are _not_ related. The first is a config line for the portscan pre-processor. The second is from a sig in icmp.rules. Now... Depending on what you want, you can A) use the portscan-ignorehosts line, which tells the portscan processor to ignore any packets from that host. If you do that (as you did), you will still get warnings from stream4, if enabled, and from any rules. B) Use a BPF filter to totally ignore a host.
From your message, I think you want option B. Something like 'snort <options>
"not host foo"' would work for you I think. Oh, and isn't it amazing what you can find in the FAQ? http://www.snort.org/docs/faq.html#3.7 ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- How to ignore scan from a host Tony Wong (Apr 16)
- Re: How to ignore scan from a host Brian (Apr 16)
- Re: How to ignore scan from a host Erek Adams (Apr 16)
- <Possible follow-ups>
- RE: How to ignore scan from a host Sheahan, Paul (PCLN-NW) (Apr 16)
- Re: How to ignore scan from a host Adrian Voinea (Jun 01)