Re: Question regarding sfportscan

[Jeremy Hewlett <jh () sourcefire com>]

On Wed, Dec 29, J-H Johansen wrote:
> ignore_scanners { [$PROXY_SERVERS,$MAIL_SERVERS] } \
>
> The $PROXY_SERVERS variable is built out of two other variables ($X and $Y).
> The problem is that when I run a check on the config the "Portscan
> Detection Config" only lists the IPs in the first variable ($X).

How do you have your variables set up? sfPortscan only handles lists
of IPs, not "lists of lists."

So, if you have:
var X_IP [192.168.0.1]
var Y_IP [192.168.0.2]
var PROXY_SERVERS [$X_IP,$Y_IP]
var MAIL_SERVERS [10.0.1.1,10.0.1.2]
ignore_scanners { [$PROXY_SERVERS,$MAIL_SERVERS] }

This expands to:
ignore_scanners { [[[192.168.0.1],[192.168.0.2]],[10.0.1.1,10.0.1.2]] }

Once we hit the first ']' we are done, so the scanner only uses X_IP.
However, if you write your server IPs this way:

var X_IP 192.168.0.1
var Y_IP 192.168.0.2
var PROXY_SERVERS $X_IP,$Y_IP
var MAIL_SERVERS 10.0.1.1,10.0.1.2
ignore_scanners { [$PROXY_SERVERS,$MAIL_SERVERS] }

This expands to:
ignore_scanners { [192.168.0.1,192.168.0.2,10.0.1.1,10.0.1.2] }




-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users