OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: RE: [Snort-users] RE: portscan-ignorehosts not working
From: StrmShdw (sectechptd.net)
Date: Wed Aug 16 2000 - 20:00:35 CDT

assuming all host are on the same subnet it would be x.y.x.0/29, if they do
in fact begin with with the x.x.x.1 numbering

-----Original Message-----
From: snort-users-adminlists.sourceforge.net
[mailto:snort-users-adminlists.sourceforge.net]On Behalf Of Jason Jin
Sent: Wednesday, August 16, 2000 13:19
To: snort-userslists.sourceforge.net
Cc: Patrick.MullenGD-CS.COM
Subject: [Snort-users] RE: portscan-ignorehosts not working

Hi,

I'm using snort-1.6-3 on redhat 6.x
portscan-ignorehosts seem not working right

I have six host that i'd like to ignore
here's section on my rules

var DNS1 x.y.z.1/32 x.y.z.2/32
var DNS2 x.y.z.3/32 x.y.z.4/32
var DNS3 x.y.z.5/32 x.y.z.6/32

then
preprocessor portscan: $INTERNAL 3 5 /var/log/snort/portscan.log
preprocessor portscan-ignorehosts: $DNS1 $DNS2 $DNS3

restarting snort, the portsan log still shows the
scan for x.y.z.2
         x.y.z.4
and x.y.z.5, x.y.z/6 (but not from x.y.z.1/3)

any ideas? does the white space has too be tab instead of space
(that seem do't make a differiece either in my case )

TIA,

Jason

_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
http://lists.sourceforge.net/mailman/listinfo/snort-users

_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
http://lists.sourceforge.net/mailman/listinfo/snort-users