Snort mailing list archives

RE: No clue?

From: "Briggs, Bruce" <Bruce.Briggs () suny edu>
Date: Tue, 15 Nov 2005 16:38:07 -0500

Did you comment out the lines following the    preprocessor sfportscan
line?
                        memcap { 10000000 } \
                        sense_level { low } 


A few lines about    preprocessor sfportscan  is a description of
ignore_scanners 

Bruce

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of John
Friedman
Sent: Tuesday, November 15, 2005 2:47 PM
To: snort
Subject: Re: [Snort-users] No clue?

Thank you for your reply.  If I comment out 
# preprocessor sfportscan:
the snort service can not be started.  Also, what's
the syntax to ignore this host from sf portscan?

Thansk for your help,

John

--- Matt Kettler <mkettler () evi-inc com> wrote:

John Friedman wrote:

Hi all,
 
Since I did not get any reply on this, is there

any way to suppress or

pass this alert?


Suggestion: look at the ignorehosts option for
portscan.

Pass definitely will not work. Since pass is a rule,
it can only work if the
offending traffic is matching a rule.

You might be able to suppress it, but you'd probably
wind up having to suppress
all portscans...

It's generally best to configure your portscan
plugins properly in the first
place. Actually, if you're monitoring an internal
LAN, you'll probably just want
to turn it off or turn the thresholds way up.




                
__________________________________ 
Start your day with Yahoo! - Make it your home page! 
http://www.yahoo.com/r/hs


-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
Register for a JBoss Training Course.  Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
Register for a JBoss Training Course.  Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_idv28&alloc_id845&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

No clue? John Friedman (Nov 11)
- <Possible follow-ups>
- RE: No clue? John Friedman (Nov 11)
  - RE: No clue? John Friedman (Nov 15)
    - Re: No clue? Matt Kettler (Nov 15)
    - Re: No clue? John Friedman (Nov 15)
- RE: No clue? John Friedman (Nov 15)
- RE: No clue? Briggs, Bruce (Nov 15)
  - RE: No clue? John Friedman (Nov 15)
    - Re: No clue? Joel Esler (Nov 15)
- Re: No clue? John Friedman (Nov 15)
- Re: No clue? Joel Esler (Nov 15)
  - Re: No clue? John Friedman (Nov 16)
- Re: No clue? John Friedman (Nov 16)
  - Re: No clue? Eric Maheo (Nov 16)
    - Re: No clue? John Friedman (Nov 16)