Snort mailing list archives
Re: portscan2-ignore... ???
From: Michael D Schleif <mds () helices org>
Date: Sun, 17 Aug 2003 13:41:02 -0500
Erek Adams <erek () snort org> [2003:08:17:13:56:25-0400] scribed:
On Sat, 16 Aug 2003, Michael D Schleif wrote: [...snip...]Considering the lack of documentation on this preprocessor, I am belaboring this point, because I need to understand the intended behaviour of portscan[2]?[...snip...] Use only one of the preprocessors, not both.
OK
When using the ignorehosts line, that line tells ps2 to ignore that host entirely. It has no effect on the stream4 scan detection.
OK
If you want to drop the host in all parts of snort, you'll need to use a BPF filter. You could do something like: snort <options> 'not src host 192.168.123.150' That would ignore all traffic _from_ 192.168.123.150. You can refine that more and use src/dst ports, but that an exercise for the reader. :) For more info on BPF filters, check out the tcpdump man page[0].
That is *not* what I want to do ;> As I explained in the original post: ``What if I want to ignore spp_portscan2 *only* originating from 192.168.123.150? Suppose that I am very interested in any scans where 192.168.123.150 is the destination/subject of that scan?'' Now, I have un-configured portscan[1], and have retested: [1] From 192.168.123.110: nmap -O 192.168.123.150 -- which spews into /var/log/snort/portscan2.log, and gives me spp_portscan2 in /var/log/snort/alert . [2] From 192.168.123.150: nmap -O 192.168.123.110 -- which puts _nothing_ in /var/log/snort/portscan2.log, and _no_ spp_portscan2 in /var/log/snort/alert . [3] From 192.168.123.150: nmap -O localhost -- which puts _nothing_ in /var/log/snort/portscan2.log, and _no_ spp_portscan2 in /var/log/snort/alert . So, I guess my confusion was whether or not *ALL* scans of 192.168.123.150, originating somewhere other than 192.168.123.150, would result in spp_portscan2 alerts? Apparently, as I desire, that is the case. Have I missed anything? If not, case closed and thank you for clarification . . . -- Best Regards, mds - Dare to fix things before they break . . . - Our capacity for understanding is inversely proportional to how much we think we know. The more I know, the more I know I don't know . . . --
Attachment:
_bin
Description:
Current thread:
- portscan2-ignore... ??? Michael D Schleif (Aug 15)
- Re: portscan2-ignore... ??? Michael D Schleif (Aug 16)
- Re: portscan2-ignore... ??? Erek Adams (Aug 17)
- Re: portscan2-ignore... ??? Michael D Schleif (Aug 17)
- Re: portscan2-ignore... ??? Michael D Schleif (Aug 18)
- Re: portscan2-ignore... ??? Erek Adams (Aug 18)
- Re: portscan2-ignore... ??? Michael D Schleif (Aug 18)
- Re: portscan2-ignore... ??? Erek Adams (Aug 19)
- Re: portscan2-ignore... ??? Erek Adams (Aug 17)
- Re: portscan2-ignore... ??? Michael D Schleif (Aug 16)
- Re: portscan2-ignore... ??? Erek Adams (Aug 18)
- Re: portscan2-ignore... ??? Michael D Schleif (Aug 18)