Snort mailing list archives
Re: Portscan preprocessor and false positives
From: Bennett Todd <bet () rahul net>
Date: Thu, 17 Oct 2002 08:44:02 -0400
2002-10-16-11:44:39 Bennett Todd:
src net 192.168.0.0/24 and ip proto tcp and dst port 80
which of course would tell snort to _only_ see the packets we in fact want to ignore. Make that 'not (src net 192.168.0.0/24 and ip proto tcp and dst port 80)'
'(src net 10.1.1.0/24 or 192.168.1.0/24) and ip proto tcp and dst port 80'
'not ((src net 10.1.1.0/24 or 192.168.1.0/24) and ip proto tcp and dst port 80)' or maybe some alternatives, like e.g. applying a little boolean algebra to get rid of the nested parens: 'not (src net 10.1.1.0/24 or 192.168.1.0/24) or not (ip proto tcp and dst port 80)' -Bennett
Attachment:
_bin
Description:
Current thread:
- Portscan preprocessor and false positives Ben Keepper (Oct 15)
- Re: Portscan preprocessor and false positives Alberto Gonzalez (Oct 15)
- Re: Portscan preprocessor and false positives Erek Adams (Oct 15)
- snort 1.9 doesn't raise alert for httptunneling telnet... s.wun (Oct 16)
- Re: snort 1.9 doesn't raise alert for httptunneling telnet... Erek Adams (Oct 16)
- Re: Portscan preprocessor and false positives Ben Keepper (Oct 16)
- Re: Portscan preprocessor and false positives Bennett Todd (Oct 16)
- Re: Portscan preprocessor and false positives Bennett Todd (Oct 17)
- snort 1.9 doesn't raise alert for httptunneling telnet... s.wun (Oct 16)