Snort mailing list archives
Re: Right syntax ?? $DNS_SERVER ??
From: "Andrew R. Baker" <andrewb () snort org>
Date: Tue, 19 Nov 2002 13:08:50 -0500
Thierry wrote:
Hi, I have a problem with the dns server of my provider. They are noisy... Do you knox if the syntax of snort.conf is correct ? var HOME_NET $ep0_ADDRESS var EXTERNAL_NET !$HOME_NET var DNS_SERVERS [193.252.19.3/32,193.252.19.4/32] preprocessor portscan-ignorehosts: $DNS_SERVERSWhat i can see on ACID: #0-(1-65) [snort] (spp_portscan2) Portscan detected from 193.252.19.3: 1 targets 21 ports in 436 seconds 2002-11-18 19:49:15 193.252.19.3:53 xx.xx.xx.xx:1074 UDP
I see two problems here.1) You are using the portscan-ignorehosts directive, but are using the portscan2 preprocessor. You need to use portscan2-ignorehosts.
2) The ignorehosts directive should be after the portscan directive. Try fixing those two problems and see if things work for you. -A -------------------------------------------------------This sf.net email is sponsored by: To learn the basics of securing your web site with SSL, click here to get a FREE TRIAL of a Thawte Server Certificate: http://www.gothawte.com/rd524.html
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Right syntax ?? $DNS_SERVER ?? Thierry (Nov 18)
- Re: Right syntax ?? $DNS_SERVER ?? Andrew R. Baker (Nov 19)