Re: how do you remove local subnet from scan.rules

[Matt Kettler <mkettler () evi-inc com>]

At 08:36 AM 8/12/2004, Mike Dodor wrote:
> I'm looking for help with the proper syntax that will allow me to ingnore 
> scan alerts where the source and destination are the same subnet.
> The logs are getting overwhelmed with ssp_portscan2 alerts from the DC's 
> to our Webmail frontends.
> So I'm looking for a little help in how best to edit the scan.rules so it 
> will ignore any ssp_portscan2's from within the same subnet.

If your problem is spp_portscan2, don't edit scan.rules.. That won't help 
in the slightest, as the two are completely unrelated.

It's like trying to put toner in an inkjet printer.. Yes Toner is used in 
printing, but not in inkjet printers. Inkjets use ink cartridges.

If you want portscan2 to ignore certain hosts, use the 
portscan2-ignorehosts directive.

Either that or ditch portscan2 entirely and use flow_portscan instead. It's 
a bit more configurable, albeit much more confusing.





-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users