Snort mailing list archives
Block host
From: "Bradley, Paul" <paulb () cta com>
Date: Tue, 5 Nov 2002 05:02:24 -0700
using SNORT 1.9 (Linux) We have one host that does bi-weekly internal vulnerability scans. I have created some pass rules in my local.rules files to ignore traffic from this particular host; however, during the scanning phase of the vulnerability scans, the stream4 preprocessor always detect the scans and log them. Is there anyway I can configure snort to ignore that host altogether? I have included the preprocessor portion of my snort.conf file. Thanks, Paul preprocessor frag2 preprocessor stream4: detect_scans, disable_evasion_alerts,ttl_limit 175 preprocessor stream4_reassemble: noalerts preprocessor http_decode: 80 unicode iis_alt_unicode double_encode iis_flip_slas h full_whitespace preprocessor rpc_decode: 111 32771 preprocessor bo: -nobrute preprocessor telnet_decode preprocessor conversation: allowed_ip_protocols 1 2 6 17 46 47 50 54 88 103, ale rt_odd_protocols ------------------------------------------------------- This sf.net email is sponsored by: See the NEW Palm Tungsten T handheld. Power & Color in a compact size! http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Block host Bradley, Paul (Nov 05)
- Re: Block host Jens Krabbenhoeft (Nov 05)