tugwilson.co.uk

• Next message: Stuart Staniford-Chen: "Re: http://whitehats.com/IDS/# (was Re: [snort]New tool: snortsnarf.pl)"
• Previous message: Max Vision: "Re: http://whitehats.com/IDS/# (was Re: [snort]New tool: snortsnarf.pl)"
• In reply to: Scott A . McIntyre: "Re: [snort] preprocessor portscan-ignoreports?"
• Next in thread: Martin Roesch: "Re: [snort] preprocessor portscan-ignoreports?"
• Reply: John Wilson: "Re: [snort] preprocessor portscan-ignoreports?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

----- Original Message -----
From: Scott A . McIntyre <scottwhoi.edu>
To: <snortbofh.kyrnet.kg>
Sent: 10 March 2000 18:21
Subject: Re: [snort] preprocessor portscan-ignoreports?

> Also sprach Mike Caughran (mike_caughranadmin.state.ak.us):
>
> > Is it possible to ignore port 80 etc?
> > ie.
> >
> > preprocessor portscan-ignoreports: 80 443 8080
>
> That would be VERY handy. I've noticed that certain sites with loads of
> little tiny images will set off the portscan detector. It's currently
> driving me slightly more nuts than normal...

Of course if pre-processors were specified in rules and we had the multi
port notation we could write:

process TCP any any -> $INTERNAL ![80 443 8080] (portscan: 3 5
"/var/log/snort/portscan";)

;)))))

John Wilson
The Wilson Partnership
5 Market Hill, Whitchurch, Aylesbury, Bucks HP22 4JB, UK
+44 1296 641072, +44 976 611010(mobile), +44 1296 641874(fax)
Mailto: tugwilson.co.uk

• Next message: Stuart Staniford-Chen: "Re: http://whitehats.com/IDS/# (was Re: [snort]New tool: snortsnarf.pl)"
• Previous message: Max Vision: "Re: http://whitehats.com/IDS/# (was Re: [snort]New tool: snortsnarf.pl)"
• In reply to: Scott A . McIntyre: "Re: [snort] preprocessor portscan-ignoreports?"
• Next in thread: Martin Roesch: "Re: [snort] preprocessor portscan-ignoreports?"
• Reply: John Wilson: "Re: [snort] preprocessor portscan-ignoreports?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]