portscan2-ignore... ???

[Michael D Schleif <mds () helices org>]

I thought that I found a bug; but, it was silly me misunderstanding,
again ;<

I get alot of bunk like this:

   9  192.168.123.150  216.52.3.11      (spp_portscan2) Portscan detected from 192.168.123.150: 6 targets 6 ports in 13 
seconds
   8  192.168.123.150  216.52.3.4       (spp_portscan2) Portscan detected from 192.168.123.150: 6 targets 6 ports in 17 
seconds
   8  192.168.123.150  216.52.3.4       (spp_portscan2) Portscan detected from 192.168.123.150: 6 targets 6 ports in 11 
seconds

Well, wouldn't you know, 192.168.123.150 is my snort server, as well as
serving numerous other tools.

So, I want to _ignore_ scans that originate from 192.168.123.150 ; at
which point I found this:

   portscan2-ignoreports-from

Clearly, I didn't read that label rigorously enough, nor did I find any
documentation about it, and happily assumed -- erroneously -- that it
was solution to my challenge ;>

Of course, it (and its sister: portscan2-ignoreports-to) take only
tcp/udp ports as arguments, and I am back to square one ;<

Yes, I recognize this:

   portscan2-ignorehosts

However, doesn't that one ignore the host(s), both as source and
destination?  What if I want to ignore spp_portscan2 *only* originating
from 192.168.123.150?  Suppose that I am very interested in any scans
where 192.168.123.150 is the destination/subject of that scan?

What do you think?

-- 
Best Regards,

mds
-
Dare to fix things before they break . . .
-
Our capacity for understanding is inversely proportional to how much
we think we know.  The more I know, the more I know I don't know . . .
--

Attachment: _bin
Description: