Snort mailing list archives

RE: Help with pass rule

From: Erek Adams <erek () theadamsfamily net>
Date: Wed, 28 Aug 2002 10:14:48 -0700 (PDT)

On Wed, 28 Aug 2002 francisv () dagupan com wrote:

I have the following line:

      preprocessor portscan-ignorehosts: $HOME_NET

in my snort.conf file. Is portscan-ignorehosts directly related to scan
attempts?


Yes.  It's part of the portscan preprocessor.  It tells the plugin what IP's
to ignore 'scans' from.  The logic of portscan is something like "If you see
over X connections to a port or multiple ports in Y seconds, then it's a
portscan."  DNS servers can set it off if it's not setup right.

You may want to change your HOME_NET and EXTERNAL_NET values, depending on how
you see your network.  If SERVER_NET is also HOME_NET then I would define
EXTERNAL_NET as !$HOME_NET.  That would set it to every IP except your
HOME_NET.

Cheers!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net



-------------------------------------------------------
This sf.net email is sponsored by: Jabber - The world's fastest growing 
real-time communications platform! Don't just IM. Build it in! 
http://www.jabber.com/osdn/xim
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Help with pass rule francisv (Aug 27)
- Re: Help with pass rule Erek Adams (Aug 28)
- <Possible follow-ups>
- RE: Help with pass rule francisv (Aug 28)
  - RE: Help with pass rule Erek Adams (Aug 28)
- RE: Help with pass rule francisv (Aug 28)
  - RE: Help with pass rule Erek Adams (Aug 29)
- RE: Help with pass rule francisv (Aug 29)
  - RE: Help with pass rule Erek Adams (Aug 29)
- RE: Help with pass rule Erek Adams (Aug 29)
- RE: Help with pass rule Erek Adams (Aug 31)