Re: portscan2-ignore... ???

[Erek Adams <erek () snort org>]

On Sat, 16 Aug 2003, Michael D Schleif wrote:

[...snip...]

> Considering the lack of documentation on this preprocessor, I am
> belaboring this point, because I need to understand the intended
> behaviour of portscan[2]?

[...snip...]

Use only one of the preprocessors, not both.

When using the ignorehosts line, that line tells ps2 to ignore that host
entirely.  It has no effect on the stream4 scan detection.

If you want to drop the host in all parts of snort, you'll need to use a
BPF filter.  You could do something like:

        snort <options> 'not src host 192.168.123.150'

That would ignore all traffic _from_ 192.168.123.150.  You can refine that
more and use src/dst ports, but that an exercise for the reader.  :)  For
more info on BPF filters, check out the tcpdump man page[0].

Hope that helps!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


[0]     It's not responding right now, or I'd have the URL.  Goto
http://www.tcpdump.org/ and look right near the top of the page.  There's
a link to the tcpdump man page there.  And yes, I'm sure that Google has a
billion of them.  :)


-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users