Snort mailing list archives
Re: Portscan: ignoreports option
From: Jon Hart <jhart () ccs neu edu>
Date: Sat, 9 Feb 2002 17:22:36 -0500
Unless I'm missing something... Couldn't you use BPF filters? Snort has the ability to read in BPF filters from a file ( -F <bpf filter file> ). You could simply have something like "not host x.x.x.x and port 20" to do what you want. I might be a bit off on this, discussions are welcome!
That would give me the desired results. However, that means all traffic to port 20 would get ignored, not just when it comes to detecting portscans. The way around this would be to run two snort processes -- one without spp_portscan, and one with spp_portscan with a BPF filter and without any other rules. This would mean that one snort process would be dedicated to detecting all attacks not including portscans, and the second's soul purpose would be to detect portscans, but ignoring certain ports. IMO, this may not be a viable alternative in some installations because of the computational overhead required by running yet another snort process. Then again, there is only one way to find out. Thanks, -jon _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Portscan: ignoreports option Andy Leigh (Feb 08)
- Re: Portscan: ignoreports option Jon Hart (Feb 09)
- Re: Portscan: ignoreports option Erek Adams (Feb 09)
- Re: Portscan: ignoreports option Jon Hart (Feb 09)
- Re: Portscan: ignoreports option Erek Adams (Feb 09)
- Re: Portscan: ignoreports option Erek Adams (Feb 09)
- Re: Portscan: ignoreports option Jon Hart (Feb 09)
- <Possible follow-ups>
- RE: Portscan: ignoreports option Andy Leigh (Feb 10)
- RE: Portscan: ignoreports option Erek Adams (Feb 10)