Snort mailing list archives

Re: ignoring udp scans

From: Neil Dickey <neil () geol niu edu>
Date: Fri, 4 May 2001 09:41:58 -0500 (CDT)


"Sid" <s_i_d_j () yahoo com> wrote asking:

How do i ignore udp portscans in the portscan preprocessor? Ofcourse, i am
referring to the DNS traffic.


Near the top of your snort configuration file, you will find a line which
starts like this:

  preprocessor portscan-ignorehosts:

It is probably commented out.  Uncomment it, and list the IP addresses of
the DNS servers you wish to ignore following the colon and separated by
spaces:

  preprocessor portscan-ignorehosts: 111.222.333.444 555.666.777.888

Then save the changes and reset Snort.

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

ignoring udp scans Sid (May 03)
- <Possible follow-ups>
- Re: ignoring udp scans Neil Dickey (May 04)
  - Re: ignoring udp scans Sid (May 04)