Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Block host

From: "Bradley, Paul" <paulb () cta com>
Date: Tue, 5 Nov 2002 05:02:24 -0700
using SNORT 1.9 (Linux)

We have one host that does bi-weekly internal vulnerability scans.  I have
created some pass rules in my local.rules files to ignore traffic from this
particular host; however, during the scanning phase of the vulnerability
scans, the stream4 preprocessor always detect the scans and log them.  Is
there anyway I can configure snort to ignore that host altogether?  I have
included the preprocessor portion of my snort.conf file.

Thanks,

Paul

preprocessor frag2
preprocessor stream4: detect_scans, disable_evasion_alerts,ttl_limit 175
preprocessor stream4_reassemble: noalerts
preprocessor http_decode: 80 unicode iis_alt_unicode double_encode
iis_flip_slas
h full_whitespace
preprocessor rpc_decode: 111 32771
preprocessor bo: -nobrute
preprocessor telnet_decode
preprocessor conversation: allowed_ip_protocols 1 2 6 17 46 47 50 54 88 103,
ale
rt_odd_protocols


-------------------------------------------------------
This sf.net email is sponsored by: See the NEW Palm 
Tungsten T handheld. Power & Color in a compact size!
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: