> First, your ignorehosts line has to be *after* the portscan2 line.

It is...

> Second, ignorehosts ignores portscans *from* hosts, like your DNS
> servers.

Thats what I wrote.

> If you are getting 5000+ alerts from people scanning your proxy, then

When my proxy sometimes opens many servers at short time and recieves
many responses snort thinks this is a portscan! :))

> you might consider putting a BPF on snort to ignore your proxy or
> something like that.

BPF?! Blocking ...?

Helmut

-------------------------------------------------------
This SF.net email is sponsored by: Get the new Palm Tungsten T
handheld. Power & Color in a compact size!
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]