Re: Snort portscan false positives?

[Erek Adams <erek () theadamsfamily net>]

On 9 Oct 2002, Felipe Alfaro Solana wrote:

> You say ps2 has no idea what my HOME_NET is... I have defined HOME_NET
> on my "snort.conf" file as "var HOME_NET 192.168.0.0/24". Does ps2
> ignore the value of this variable?

I've only just perused the source, so don't take this as gospel.  :-)

> From what I see, none of the preprocessors check or care about the HOME_NET
variable.  This variable is used more in rules than anything else.  If you'll
look at the way you pass switches or parameters to plugins you'll notice that
they all have statements in the .conf like 'portscan2-ignorehosts'.  That's
what they seem to look for when they are registered with Snort.

I'd suggest setting something like 'portscan2-ignorehosts: $HOME_NET'.  Since
variable substitution is handled when the .conf is read, the statement passed
into ps2 is 'portscan2-ignorehosts: 192.168.0.0/24'.

If you don't want to put the whole HOME_NET in there, just add the single
box(es) that is/are giving you issues.

Hope that helps!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users