Snort mailing list archives
Re: how do you remove local subnet from scan.rules
From: Matt Kettler <mkettler () evi-inc com>
Date: Thu, 12 Aug 2004 13:36:22 -0400
At 08:36 AM 8/12/2004, Mike Dodor wrote:
I'm looking for help with the proper syntax that will allow me to ingnore scan alerts where the source and destination are the same subnet. The logs are getting overwhelmed with ssp_portscan2 alerts from the DC's to our Webmail frontends. So I'm looking for a little help in how best to edit the scan.rules so it will ignore any ssp_portscan2's from within the same subnet.
If your problem is spp_portscan2, don't edit scan.rules.. That won't help in the slightest, as the two are completely unrelated.
It's like trying to put toner in an inkjet printer.. Yes Toner is used in printing, but not in inkjet printers. Inkjets use ink cartridges.
If you want portscan2 to ignore certain hosts, use the portscan2-ignorehosts directive.
Either that or ditch portscan2 entirely and use flow_portscan instead. It's a bit more configurable, albeit much more confusing.
------------------------------------------------------- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- how do you remove local subnet from scan.rules Mike Dodor (Aug 12)
- Re: how do you remove local subnet from scan.rules Matt Kettler (Aug 12)