Snort mailing list archives

RE: sfPortscan IP list ?

From: "T Samp." <tsamp77 () optonline net>
Date: Thu, 01 Sep 2005 00:09:39 -0400

Very strange....  I have it set up just like that...

ignore_scanners  {xxx.xxx.xxx.xxx}

And it again Snort tells me that there is "no argument" to the option....
I am using 2.4 as well...

The docs talk about a "Snort IP list" as the argument to ignore_scanners as
opposed to just CIDR IP address...
Maybe I am passing the address incorrectly?  Then again it works for you :)

Thanks for reaching out...



-----Original Message-----
From: Lee Clemens [mailto:snort () leeclemens net] 
Sent: Wednesday, August 31, 2005 8:26 PM
To: 'T Samp.'
Cc: snort-users () lists sourceforge net
Subject: RE: [Snort-users] sfPortscan IP list ?

I am using 2.4 and I have ignore_scanners setup like this:

ignore_scanners { x.x.x.x/y,x.x.x.x,x.x.x.x,x.x.x.x }

If your HOME_NET is only one IP address, just enter the IP without the
slash.

Hope that helps!

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of T Samp.
Sent: Wednesday, August 31, 2005 6:16 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] sfPortscan IP list ?

I am experimenting with the sfPortscan module...

When I utilize the ignore_scanners option, I get a Snort error on
initialization: "No argument to 'ignore_scanners' config option"

I have tried  the following:

ignore_scanners {xxx.xxx.xxx.xxx/32}
ignore_scanners {$HOME_NET}
ignore_scanners {[xxx.xxx.xxx.xxx/32]}
ignore_scanners {[$HOME_NET]}

I guess I can't figure out the syntax for the IP portion of this option.

Any nudge in the right direction is greatly appreciated !



-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO September
19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile &
Plan-Driven Development * Managing Projects & Teams * Testing & QA Security
* Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

BASE Graphs not working Lean Cornelius (Aug 30)
- Re: BASE Graphs not working Kevin Johnson (Aug 30)
  - RE: BASE Graphs not working Lean Cornelius (Aug 30)
- Re: BASE Graphs not working Alex Butcher, ISC/ISYS (Aug 31)
  - sfPortscan IP list ? T Samp. (Aug 31)
    - RE: sfPortscan IP list ? Lee Clemens (Aug 31)
    - RE: sfPortscan IP list ? T Samp. (Aug 31)
    - Re: sfPortscan IP list ? Jason Brvenik (Sep 02)
    - RE: sfPortscan IP list ? T Samp. (Sep 02)