Snort mailing list archives
RE: problem with the portscan-ignore preprocessor
From: "Murray, Todd" <Todd.Murray () adidasus com>
Date: Mon, 28 Jun 2004 10:51:09 -0700
Nevermind, the problem must be in snortcenter2. I noticed it was removing the ignore line from the config even though I'd told it to add it. I added it manually to the config file and it works. -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Murray, Todd Sent: Monday, June 28, 2004 10:25 AM To: snort-users () lists sourceforge net Subject: [Snort-users] problem with the portscan-ignore preprocessor I'm using snort 2.1.3 with snortcenter2 on Redhat Enterprise Linux ES release 3. My problem is that snort doesn't like the format of the ignore list I'm using. Can someone tell me what the problem might be? #--------------------------------------------------------------------------- ---- # Snort Configuration file for < bear lan > # Created with SnortCenter 2.x < http://sourceforge.net/projects/snortcenter2/ > # $Id: snort.conf, Monday 28th of June 2004 10:23:59 AM #--------------------------------------------------------------------------- ---- var EXTERNAL_NET any var HTTP_PORTS 80 var SHELLCODE_PORTS !80 var ORACLE_PORTS 1521 var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.1 2.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24] var RULE_PATH ../rules var DNS2 10.1.5.7/32 var DNS1 10.1.5.6/32 var HOME_NET [10.1.5.0/24,10.1.29.0/24] var SRV_NET1 10.1.5.0/24 var SNMP_SERVERS 10.2.5.179/32 var SRV_NET2 10.2.5.0/24 var TELNET_SERVERS $HOME_NET var SQL_SERVERS $HOME_NET var HTTP_SERVERS $HOME_NET var SMTP_SERVERS $HOME_NET var DNS_SERVERS [$DNS1,$DNS2] # preprocessor flow: stats_interval 0 hash 2 preprocessor frag2 preprocessor stream4: disable_evasion_alerts preprocessor stream4_reassemble preprocessor http_inspect: global iis_unicode_map unicode.map 1252 preprocessor http_inspect_server: server default profile all ports { 80 8080 8180 } oversize_dir_length 500 preprocessor rpc_decode: 111 32771 preprocessor bo preprocessor telnet_decode preprocessor portscan-ignorehosts: 10.1.5.0/24 10.2.5.0/24 preprocessor portscan: 0.0.0.0/0 10 3 /var/log/snort/portscan.log
Current thread:
- problem with the portscan-ignore preprocessor Murray, Todd (Jun 28)
- <Possible follow-ups>
- RE: problem with the portscan-ignore preprocessor Murray, Todd (Jun 28)