Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Right syntax ?? $DNS_SERVER ??

From: "Andrew R. Baker" <andrewb () snort org>
Date: Tue, 19 Nov 2002 13:08:50 -0500
Thierry wrote:

Hi,
I have a problem with the dns server of my provider.
They are noisy...
Do you knox if the syntax of snort.conf is correct ?

var HOME_NET $ep0_ADDRESS
var EXTERNAL_NET !$HOME_NET
var DNS_SERVERS [193.252.19.3/32,193.252.19.4/32]
preprocessor portscan-ignorehosts: $DNS_SERVERS
What i can see on ACID: #0-(1-65) [snort] (spp_portscan2) Portscan detected from 193.252.19.3: 1 targets 21 ports in 436 seconds 2002-11-18 19:49:15 193.252.19.3:53 xx.xx.xx.xx:1074 UDP 

I see two problems here.
1) You are using the portscan-ignorehosts directive, but are using the portscan2 preprocessor. You need to use portscan2-ignorehosts. 

2) The ignorehosts directive should be after the portscan directive.

Try fixing those two problems and see if things work for you.

-A



-------------------------------------------------------
This sf.net email is sponsored by: To learn the basics of securing your web site with SSL, click here to get a FREE TRIAL of a Thawte Server Certificate: http://www.gothawte.com/rd524.html 
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: