Snort mailing list archives
ignorehost in snort.conf Dose Not ignore my scanner, why?
From: Snortty <cwcwcwg () yahoo com>
Date: Wed, 10 Mar 2004 06:03:35 -0800 (PST)
Hi, All;
We have a few dedicated port scanners on the big
network running on regular basis, and I want to set up
my snort to ignore those alerts from scanners, so I
put scanner IPs in the snort.conf as:
;
preprocessor portscan-ignorehosts: 10.10.10.1
10.10.10.2
;
;
;
preprocessor portscan2-ignorehosts: 10.10.10.1/32
10.10.10.2/32
;
But still I see a lot of scanning traffics from both
scanners whenever they run, especially alert: spp_bo:
Back Orifice Traffic detected (key: 31337) {udp}
It there anything else I should do in order to filter
out anything coming from the scanners, please anyone?
Thanks a lot!
SW.
__________________________________
Do you Yahoo!?
Yahoo! Search - Find what youre looking for faster
http://search.yahoo.com
-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Help need in Snort configuration mohan Sharma (Mar 05)
- Re: Help need in Snort configuration Ravi (Mar 08)
- ignorehost in snort.conf Dose Not ignore my scanner, why? Snortty (Mar 10)
- <Possible follow-ups>
- RE: Help need in Snort configuration Nick Duda (Mar 05)
- Re: Help need in Snort configuration Ravi (Mar 08)