Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: how to disable spp_porscan?

From: robe () alfa21 com (Roberto Suarez Soto)
Date: Thu, 20 Dec 2001 17:00:08 +0100
On Dec/19, Phil Wood wrote:


1. Please post the contents of snort.rules.include.


        Of course. They're in my other reply to you :-)


   Note that portscan code was never re-written to handle the classic
   [a.b.c.0/24,q.r.s.t,...] (or negation thereof.)  
   If you want DNS_SERVERS to be parsed by portscan-ignorehosts preprocessor
   you must use a space separated list.


        Well, I've just tried with this:

        preprocessor portscan-ignorehosts: XX.XX.XX.XX YY.YY.YY.YY

        (activating also the "preprocessor portscan" before, as it's supposed)

        But the problem remains; portscan attempts are detected anyway :-m
It's like if snort was using a "builtin" or "hardcoded" configuration.

-- 
Roberto Suarez Soto                                     Alfa21 Outsourcing
    robe () alfa21 com                               http://www.alfa21.com

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: