Snort mailing list archives
RE: sfPortscan IP list ?
From: "T Samp." <tsamp77 () optonline net>
Date: Fri, 02 Sep 2005 08:53:05 -0400
Folks... Lee Clemens nailed it for me.... I needed a space around the braces... <Doh!> 40 lashes for me.. Thanks to all again! -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Jason Brvenik Sent: Friday, September 02, 2005 8:37 AM To: T Samp. Cc: 'Lee Clemens'; snort-users () lists sourceforge net Subject: Re: [Snort-users] sfPortscan IP list ? Not looked at the code but the difference may be that the working example is an IP list { x.x.x.x/y,x.x.x.x,x.x.x.x,x.x.x.x } Can you split your one argument into multiple argumments? If it is a single IP try adding a localhost IP as well. { 10.1.1.1/32,127.0.0.2/32 } T Samp. wrote:
Very strange.... I have it set up just like that...
ignore_scanners {xxx.xxx.xxx.xxx}
And it again Snort tells me that there is "no argument" to the option....
I am using 2.4 as well...
The docs talk about a "Snort IP list" as the argument to
ignore_scanners as opposed to just CIDR IP address...
Maybe I am passing the address incorrectly? Then again it works for
you :)
Thanks for reaching out...
-----Original Message-----
From: Lee Clemens [mailto:snort () leeclemens net]
Sent: Wednesday, August 31, 2005 8:26 PM
To: 'T Samp.'
Cc: snort-users () lists sourceforge net
Subject: RE: [Snort-users] sfPortscan IP list ?
I am using 2.4 and I have ignore_scanners setup like this:
ignore_scanners { x.x.x.x/y,x.x.x.x,x.x.x.x,x.x.x.x }
If your HOME_NET is only one IP address, just enter the IP without the
slash.
Hope that helps!
-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of T Samp.
Sent: Wednesday, August 31, 2005 6:16 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] sfPortscan IP list ?
I am experimenting with the sfPortscan module...
When I utilize the ignore_scanners option, I get a Snort error on
initialization: "No argument to 'ignore_scanners' config option"
I have tried the following:
ignore_scanners {xxx.xxx.xxx.xxx/32}
ignore_scanners {$HOME_NET}
ignore_scanners {[xxx.xxx.xxx.xxx/32]} ignore_scanners {[$HOME_NET]}
I guess I can't figure out the syntax for the IP portion of this option.
Any nudge in the right direction is greatly appreciated !
-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle
Practices Agile & Plan-Driven Development * Managing Projects & Teams
* Testing & QA Security
* Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle
Practices Agile & Plan-Driven Development * Managing Projects & Teams
* Testing & QA Security * Process Improvement & Measurement *
http://www.sqe.com/bsce5sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- BASE Graphs not working Lean Cornelius (Aug 30)
- Re: BASE Graphs not working Kevin Johnson (Aug 30)
- RE: BASE Graphs not working Lean Cornelius (Aug 30)
- Re: BASE Graphs not working Alex Butcher, ISC/ISYS (Aug 31)
- sfPortscan IP list ? T Samp. (Aug 31)
- RE: sfPortscan IP list ? Lee Clemens (Aug 31)
- RE: sfPortscan IP list ? T Samp. (Aug 31)
- Re: sfPortscan IP list ? Jason Brvenik (Sep 02)
- RE: sfPortscan IP list ? T Samp. (Sep 02)
- sfPortscan IP list ? T Samp. (Aug 31)
- Re: BASE Graphs not working Kevin Johnson (Aug 30)