Snort mailing list archives
RE:
From: "Miller, Eoin" <Miller () fhlb-of com>
Date: Tue, 8 Oct 2002 13:58:30 -0400
sorry, its something i created myself, i create a variable called ignore_porscan and then i use that variable to control the portscan pre-processor var IGNORE_PORTSCAN [w.x.y.z,w.x.y.z] preprocessor portscan-ignorehosts: $IGNORE_PORTSCAN this works great for me, if its not working for you id review the syntax of your snort.conf the easiest way to turn down false positives is by tweaking your variables, if you dont want to see portscans coming from yourself then you could do this: preprocessor portscan-ignorehosts: $HOME_NET that would ignore your entire home_net variable that you should have declared.
-----Original Message----- From: Sent: None Subject: 2002-10-08-11:30:33 Miller, Eoin:in your snort.conf file you will see this var IGNORE_PORTSCAN [w.x.y.z,w.x.y.z]Would that I did. I don't see that in my snort.conf, nor anywhere else in my (1.9.0) snort rules. What's more, I'm having trouble tuning portscan2; it doesn't seem to be honoring portscan-ignorehosts. The easiest way I've found to tune it down for false-positives on legit servers is to use BPF to completely blind snort to those servers. This seems suboptimal to me. -Bennett
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Miller, Eoin (Oct 08)