Re: Portscan: ignoreports option

[Jon Hart <jhart () ccs neu edu>]

> Unless I'm missing something...  Couldn't you use BPF filters?  Snort has the
> ability to read in BPF filters from a file ( -F <bpf filter file> ).  You
> could simply have something like "not host x.x.x.x and port 20" to do what you
> want.
>
> I might be a bit off on this, discussions are welcome!

That would give me the desired results.  However, that means all traffic to
port 20 would get ignored, not just when it comes to detecting portscans.  

The way around this would be to run two snort processes -- one without
spp_portscan, and one with spp_portscan with a BPF filter and 
without any other rules.  This would mean that one snort process would be
dedicated to detecting all attacks not including portscans, and the
second's soul purpose would be to detect portscans, but ignoring certain
ports.

IMO, this may not be a viable alternative in some installations because of
the computational overhead required by running yet another snort process.
Then again, there is only one way to find out.  

Thanks,

-jon

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users