Snort mailing list archives
ignorehost in snort.conf Dose Not ignore my scanner, why?
From: Snortty <cwcwcwg () yahoo com>
Date: Wed, 10 Mar 2004 06:03:35 -0800 (PST)
Hi, All; We have a few dedicated port scanners on the big network running on regular basis, and I want to set up my snort to ignore those alerts from scanners, so I put scanner IPs in the snort.conf as: ; preprocessor portscan-ignorehosts: 10.10.10.1 10.10.10.2 ; ; ; preprocessor portscan2-ignorehosts: 10.10.10.1/32 10.10.10.2/32 ; But still I see a lot of scanning traffics from both scanners whenever they run, especially alert: spp_bo: Back Orifice Traffic detected (key: 31337) {udp} It there anything else I should do in order to filter out anything coming from the scanners, please anyone? Thanks a lot! SW. __________________________________ Do you Yahoo!? Yahoo! Search - Find what youre looking for faster http://search.yahoo.com ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Help need in Snort configuration mohan Sharma (Mar 05)
- Re: Help need in Snort configuration Ravi (Mar 08)
- ignorehost in snort.conf Dose Not ignore my scanner, why? Snortty (Mar 10)
- <Possible follow-ups>
- RE: Help need in Snort configuration Nick Duda (Mar 05)
- Re: Help need in Snort configuration Ravi (Mar 08)