Hosting Provided By

RE: [Snort-devel] [Snort-users] portscan2-ignoreports...anyone get it to work???

From: Jeff Oliveto <joliveto(at)CleanCommunications.com>
Date: Mon Mar 24 2003 - 11:39:30 EST

It would be "nice" if someone would update the snort.conf for the portscan2 preprocessor. This guessing and hunting the newsgroups for information on how to configure the preprocessor is a waste of time.

jeff -

-----Original Message-----
From: Erek Adams [mailto:erek@snort.org] Sent: Monday, March 24, 2003 9:10 AM
To: Jeff Oliveto
Cc: Pig-A-Holics Anonymous
Subject: Re: [Snort-devel] [Snort-users] portscan2-ignoreports...anyone get it to work???

[Cross posting removed]

On Thu, 20 Mar 2003, Jeff Oliveto wrote:

> Has anyone confirmed that the "preprocessor portscan2-ignoreports: s1
> s2 d1 d2" variable works?

[...snip...]

Two things:

Move any portscan2-ignore* lines below the inital portscan2 line in snort.conf.
Use the right format. :)

          preprocessor portscan2-ignoreports-to:
          preprocessor portscan2-ignoreports-from:

Verify that by a simple grep:

Do you need help?

[erek@it]/usr/local/build/cvs/snort/src/preprocessors>grep ignoreport

  spp_portscan2.{c,h}
  spp_portscan2.c: * - added ignoreports
  spp_portscan2.c:                     "portscan2-ignoreports,
  ignoring.\n",
  spp_portscan2.c:                     "portscan2-ignoreports");
  spp_portscan2.c:                 "portscan2-ignoreports directive\n",
  spp_portscan2.c:                 "portscan2-ignoreports\n", file_name,

  file_line);
  spp_portscan2.c: RegisterPreprocessor("portscan2-ignoreports-from",   InitIgnoreFrom);
  spp_portscan2.c: RegisterPreprocessor("portscan2-ignoreports-to",   InitIgnoreTo);

Cheers!

Erek Adams

"When things get weird, the weird turn pro." H.S. Thompson

This SF.net email is sponsored by:
The Definitive IT and Networking Event. Be There! NetWorld+Interop Las Vegas 2003 -- Register today! http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en

Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users Received on Tue Mar 25 10:21:55 2003

This message: [ Message body ]
Next message: John Crabtree: "[Snort-users] Are there any rules out there to alert for a THC-Hydra scan?"
Previous message: aalbert(at)supelec-rennes.fr: "[Snort-users] (no subject)"
In reply to Erek Adams: "Re: [Snort-devel] [Snort-users] portscan2-ignoreports...anyone get it to work???"
Next in thread: Erek Adams: "RE: [Snort-devel] [Snort-users] portscan2-ignoreports...anyone get it to work???"
Reply: Erek Adams: "RE: [Snort-devel] [Snort-users] portscan2-ignoreports...anyone get it to work???"
Reply: Erek Adams: "RE: [Snort-devel] [Snort-users] portscan2-ignoreports...anyone get it to work???"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:11:50 EDT