Thanks.
Now, I changed these (in threshold.conf) to:
suppress gen_id 100, sig_id 1, track by_src, ip
10.1.10.6/32
suppress gen_id 100, sig_id 2, track by_src, ip
10.1.10.6/32
suppress gen_id 100, sig_id 3, track by_src, ip
10.1.10.6/32
and also in snort.conf I have:
preprocessor sfportscan: proto { all } \
memcap { 10000000 } \
sense_level { low } \
ignore_scanners { 10.1.10.6 }
preprocessor portscan-ignorehosts: 10.1.10.6
But, I still get these alerts. Totally out of mind
now, any ideas?
Thanks,
John
--- Eric Maheo <eric.maheo@appliedwatch.com> wrote:
like it's a cidr, I will try:
suppress gen_id 100, sig_id 1, track by_src, ip
10.1.10.6/32
On Wed, 2005-11-16 at 07:53 -0800, John Friedman
wrote:
Thanks for your help.
did you enable the include
threshold.conf at the end
of your snort.conf?
YES!
Also, I changed to
suppress gen_id 100, sig_id 1, track by_src, ip
10.1.10.6
suppress gen_id 100, sig_id 2, track by_src, ip
10.1.10.6
suppress gen_id 100, sig_id 3, track by_src, ip
10.1.10.6
and sill with ignor_scanners statement. But, I
still
get these alerts:
************************
ID < Signature > < Timestamp > < Source
Address
< Dest. Address > < Layer 4 Proto >
#0-(2-11683) [snort]
spp_portscan
from 10.1.10.6: 1 connections across 1 hosts:
TCP(1),
UDP(0) 2005-11-16 10:50:39 10.1.10.6
unknown IP
#1-(2-11682) [snort]
spp_portscan
from 10.1.10.6: 1 connections across 1 hosts:
TCP(1),
UDP(0) 2005-11-16 10:49:59 10.1.10.6
unknown IP
#2-(2-11681) [snort]
spp_portscan
from 10.1.10.6: 1 connections across 1 hosts:
TCP(1),
UDP(0) 2005-11-16 10:49:18 10.1.10.6
unknown IP
*********************
any clue and I am totally lost.
Any suggestions?
Thanks,
John
--- Eric Maheo <eric.maheo@appliedwatch.com>
wrote:
Just my 2 cents.. did you enable the include
threshold.conf at the end
of your snort.conf?
you can add a cidr but consult the
snort_manual.pdf.
This manual is in your /doc of your sources.
Download from snort.org and
untargz your file and you will see this
snort_manual.pdf in the /doc
directory. At the page 83 you have your answer.
ex: suppress gen_id 1, sig_id 1234, track
by_dst, ip
10.1.0.0/24
On Wed, 2005-11-16 at 07:07 -0800, John Friedman
wrote:
Thanks for all suggestions and help that have
been
given to me.
Here is my config now:
preprocessor sfportscan: proto { all } \
memcap { 10000000 } \
sense_level { low } \
ignore_scanners
{[10.1.10.5,10.1.10.6] }
I restared the snort service and I still get
these
alerts.
I add these to the threshold.conf:
suppress gen_id 100, sig_id 1
suppress gen_id 100, sig_id 2
suppress gen_id 100, sig_id 3
and I still get these alerts. no idea why?
Do you know what's the syntax for
ignore_scanners
for
one block IP such as 10.1.10.0/24?
Thank you so much!
John
--- Joel Esler <joel.esler@sourcefire.com>
wrote:
Because you have to include it in the line
prior..
See how the lines
prior to that have "\"? You have to put the
"\"
in
the line prior to
the ignore_scanners line if you want it
included..
J
On Nov 15, 2005, at 3:14 PM, John Friedman
wrote:
Thank you for your help. Here is the
config
in my
snort.conf
preprocessor sfportscan: proto { all } \
memcap { 10000000
} \
sense_level { low
}
ignore_scanners { 10.1.10.6 }
But, If I add ignore_scanners { 10.1.10.6
} to
the
snort.conf, the snort service can not be
started.
If
I remove ignore_scanners { 10.1.10.6 },
then
the
snort
service is started fine. No idea why?
Thanks,
John
--- Joel Esler <joel.esler@sourcefire.com>
wrote:
You need to put them into the sfportscan
preprocessor as either
ignore_scanned or ignore_scanner if you
want
to
tune
the portscan
preprocessor.
Joel Esler
On Nov 15, 2005, at 11:27 AM, John
Friedman
wrote:
I constantly get these alerts from the
citrix
server:
ID < Signature > < Timestamp > <
Source
Address
< Dest. Address > < Layer 4 Proto >
#600-(2-7409) [snort]
spp_portscan
from 10.1.10.6: 1 connections across 1
hosts:
TCP(1),
UDP(0) 2005-11-15 09:49:12
=== message truncated ===
__________________________________
Yahoo! FareChase: Search multiple travel sites in one click.
http://farechase.yahoo.com
-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc. Get Certified Today
Register for a JBoss Training Course. Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
