Re: [Snort-users] No clue?

Thanks for all suggestions and help that have been
given to me.  
Here is my config now:

preprocessor sfportscan: proto  { all } \
                         memcap { 10000000 } \
                         sense_level { low } \
                         ignore_scanners
{[10.1.10.5,10.1.10.6] }

I restared the snort service and I still get these
alerts.

I add these to the threshold.conf:
suppress gen_id 100, sig_id 1
suppress gen_id 100, sig_id 2
suppress gen_id 100, sig_id 3

and I still get these alerts.  no idea why? 

Do you know what's the syntax for ignore_scanners for
one block IP such as 10.1.10.0/24?

Thank you so much!

John



--- Joel Esler <joel.esler@sourcefire.com> wrote:

> Because you have to include it in the line prior.. 
> See how the lines  
> prior to that have "\"?  You have to put the "\" in
> the line prior to  
> the ignore_scanners line if you want it included..
>
> J
>
>
>
> On Nov 15, 2005, at 3:14 PM, John Friedman wrote:
>
> > Thank you for your help.  Here is the config in my
> > snort.conf
> >
> > preprocessor sfportscan: proto  { all } \
> >                          memcap { 10000000 } \
> >                          sense_level { low }
> > ignore_scanners { 10.1.10.6 }
> >
> > But, If I add ignore_scanners { 10.1.10.6 } to the
> > snort.conf, the snort service can not be started. 
> If
> > I remove ignore_scanners { 10.1.10.6 }, then the
> snort
> > service is started fine.  No idea why?
> >
> > Thanks,
> >
> > John
> >
> >
> > --- Joel Esler <joel.esler@sourcefire.com> wrote:
> >
> > > You need to put them into the sfportscan
> > > preprocessor as either
> > > ignore_scanned or ignore_scanner if you want to
> tune
> > > the portscan
> > > preprocessor.
> > >
> > > Joel Esler
> > >
> > >
> > >
> > > On Nov 15, 2005, at 11:27 AM, John Friedman
> wrote:
> > > > I constantly get these alerts from the citrix
> > > server:
> > > >  ID   < Signature >   < Timestamp >   < Source
> > > Address
> > > > >   < Dest. Address >   < Layer 4 Proto >
> > > >             #600-(2-7409)        [snort]
> > > spp_portscan
> > > > from 10.1.10.6: 1 connections across 1 hosts:
> > > TCP(1),
> > > > UDP(0)        2005-11-15 09:49:12       
> 10.1.10.6
> > > >    unknown        IP
> > > >             #601-(2-7410)        [snort]
> > > spp_portscan
> > > > from 10.1.10.6: 1 connections across 1 hosts:
> > > TCP(1),
> > > > UDP(0)        2005-11-15 09:49:19       
> 10.1.10.6
> > > >    unknown        IP
> > > >             #602-(2-7411)        [snort]
> > > spp_portscan
> > > > from 10.1.10.6: 1 connections across 1 hosts:
> > > TCP(1),
> > > > UDP(0)        2005-11-15 09:49:59       
> 10.1.10.6
> > > >    unknown        IP
> > > > *********
> > > > I use these
> > > > suppress gen_id 100, sig_id 1
> > > > suppress gen_id 100, sig_id 2
> > > > suppress gen_id 100, sig_id 3
> > > > but it does not work.
> > > >
> > > > Any idea?
> > > >
> > > > Thanks,
> > > >
> > > > John
> > > >
> > > >
> > > > --- Jeruvy <jeruvy@shaw.ca> wrote:
> > > >
> > > > > Sorry about that, I routinely delete emails
> from
> > > > > @yahoo.com due to spam.
> > > > >
> > > > > What is the alert SID?  Do you use oinkmaster?
> > > > >
> > > > > J.
> > > > > j e r u v y a t s h a w d o t c a
> > > > >
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: John Friedman
> > > [mailto:jfriedmanx@yahoo.com]
> > > > > > Sent: Tuesday, November 15, 2005 8:45 AM
> > > > > > To: snort
> > > > > > Subject: RE: [Snort-users] No clue?
> > > > > >
> > > > > > Hi all,
> > > > > >
> > > > > > Since I did not get any reply on this, is
> there
> > > > > any way to
> > > > > > suppress or pass this alert?
> > > > > >
> > > > > > Thanks,
> > > > > >
> > > > > > John
> > > > > >
> > > > > > John Friedman <jfriedmanx@yahoo.com> wrote:
> > > > > >
> > > > > >         Thanks for your pointing out.  Here is the
> info
> > > > > again:
> > > > > >           ID      <
> > > >
> > > >
> > > >
> > > >           
> > > > __________________________________
> > > > Yahoo! FareChase: Search multiple travel sites
> in
> > > one click.
> > > > http://farechase.yahoo.com
-------------------------------------------------------
> > > > This SF.Net email is sponsored by the JBoss Inc.
> > > Get Certified Today
> > > > Register for a JBoss Training Course.  Free
> > > Certification Exam
> > > > for All Training Attendees Through End of 2005.
> > > For more info visit:
> > > >
http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click
> > > > _______________________________________________
> > > > Snort-users mailing list
> > > > Snort-users@lists.sourceforge.net
> > > > Go to this URL to change user options or
> > > unsubscribe:
> > > >
https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > > >
> >
> >
> >
> >     
> >             
> > __________________________________
> > Yahoo! Mail - PC Magazine Editors' Choice 2005
> > http://mail.yahoo.com



        
                
__________________________________ 
Yahoo! Mail - PC Magazine Editors' Choice 2005 
http://mail.yahoo.com


-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
Register for a JBoss Training Course.  Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users