Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: No clue?

From: John Friedman <jfriedmanx () yahoo com>
Date: Tue, 15 Nov 2005 12:14:12 -0800 (PST)
Thank you for your help.  Here is the config in my
snort.conf

preprocessor sfportscan: proto  { all } \
                         memcap { 10000000 } \
                         sense_level { low }
ignore_scanners { 10.1.10.6 } 

But, If I add ignore_scanners { 10.1.10.6 } to the
snort.conf, the snort service can not be started.  If
I remove ignore_scanners { 10.1.10.6 }, then the snort
service is started fine.  No idea why?

Thanks,

John 

--- Joel Esler <joel.esler () sourcefire com> wrote:


You need to put them into the sfportscan
preprocessor as either  
ignore_scanned or ignore_scanner if you want to tune
the portscan  
preprocessor.

Joel Esler



On Nov 15, 2005, at 11:27 AM, John Friedman wrote:


I constantly get these alerts from the citrix

server:


 ID   < Signature >   < Timestamp >   < Source

Address

  < Dest. Address >   < Layer 4 Proto >

            #600-(2-7409)        [snort]

spp_portscan

from 10.1.10.6: 1 connections across 1 hosts:

TCP(1),

UDP(0)        2005-11-15 09:49:12        10.1.10.6
   unknown        IP
            #601-(2-7410)        [snort]

spp_portscan

from 10.1.10.6: 1 connections across 1 hosts:

TCP(1),

UDP(0)        2005-11-15 09:49:19        10.1.10.6
   unknown        IP
            #602-(2-7411)        [snort]

spp_portscan

from 10.1.10.6: 1 connections across 1 hosts:

TCP(1),

UDP(0)        2005-11-15 09:49:59        10.1.10.6
   unknown        IP
*********
I use these
suppress gen_id 100, sig_id 1
suppress gen_id 100, sig_id 2
suppress gen_id 100, sig_id 3
but it does not work.

Any idea?

Thanks,

John


--- Jeruvy <jeruvy () shaw ca> wrote:


Sorry about that, I routinely delete emails from
@yahoo.com due to spam.

What is the alert SID?  Do you use oinkmaster?

J.
j e r u v y a t s h a w d o t c a



-----Original Message-----
From: John Friedman

[mailto:jfriedmanx () yahoo com]

Sent: Tuesday, November 15, 2005 8:45 AM
To: snort
Subject: RE: [Snort-users] No clue?

Hi all,

Since I did not get any reply on this, is there

any way to

suppress or pass this alert?

Thanks,

John

John Friedman <jfriedmanx () yahoo com> wrote:

  Thanks for your pointing out.  Here is the info

again:



    ID      <




            
__________________________________
Yahoo! FareChase: Search multiple travel sites in

one click.

http://farechase.yahoo.com






-------------------------------------------------------

This SF.Net email is sponsored by the JBoss Inc. 

Get Certified Today

Register for a JBoss Training Course.  Free

Certification Exam

for All Training Attendees Through End of 2005.

For more info visit:





http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or

unsubscribe:





https://lists.sourceforge.net/lists/listinfo/snort-users

Snort-users list archive:




http://www.geocrawler.com/redir-sf.php3?list=snort-users









        
                
__________________________________ 
Yahoo! Mail - PC Magazine Editors' Choice 2005 
http://mail.yahoo.com


-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
Register for a JBoss Training Course.  Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: