Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: How to ignore scan from a host

From: Erek Adams <erek () theadamsfamily net>
Date: Tue, 16 Apr 2002 15:31:03 -0700 (PDT)
On Tue, 16 Apr 2002, Tony Wong wrote:


how can I ignore a host from scanning?


Multpile ways.  Depends on what you really want to do.


Tried putting ip address/subnet mask in here but alert was still logging
the host scanning

preprocessor portscan-ignorehosts: ip/netmask

ICMP PING NMAP [**] [Classification: Attempted Information Leak]
[Priority: 2] {ICMP}


These two things are _not_ related.  The first is a config line for the
portscan pre-processor.  The second is from a sig in icmp.rules.

Now...  Depending on what you want, you can

        A)  use the portscan-ignorehosts line, which tells the portscan
processor to ignore any packets from that host.  If you do that (as you did),
you will still get warnings from stream4, if enabled, and from any rules.
        B)  Use a BPF filter to totally ignore a host.


From your message, I think you want option B.  Something like 'snort <options>

"not host foo"' would work for you I think.

Oh, and isn't it amazing what you can find in the FAQ?

        http://www.snort.org/docs/faq.html#3.7

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: