RE: Help with pass rule

[francisv () dagupan com]

I have the following line:

        preprocessor portscan-ignorehosts: $HOME_NET

in my snort.conf file. Is portscan-ignorehosts directly related to scan
attempts?

-----Original Message-----
From: Erek Adams [mailto:erek () theadamsfamily net] 
Sent: Wednesday, August 28, 2002 2:58 PM
To: francisv () dagupan com
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Help with pass rule

On Wed, 28 Aug 2002 francisv () dagupan com wrote:

[...good info snipped...]

> The idea is to ignore traffic coming from the $SERVER_NET block going out
> and ignore scan attempts from outside going inside $HOME_NET. The problem
is
> I still see alerts for scan proxy attempts from outside. This is how I run
> snort:
>
>       /usr/local/bin/snort -Dko -c /usr/local/etc/snort.conf

Welcome to the club.  ;)  Snort variables ($HOME_NET) do not get sent to the
pre-processers or the plugins.

If you write a pass rule, it needs to also be in the portscan_ignorehosts so
that the portscan plugin does not see it as a scan.

Hope that helsp!  Cheers!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


-------------------------------------------------------
This sf.net email is sponsored by: Jabber - The world's fastest growing 
real-time communications platform! Don't just IM. Build it in! 
http://www.jabber.com/osdn/xim
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users