Ok - well I'm a newbie but a fast learner.....
I've got flow-tools up and running and I'm looking for network/host scans using flow-dscan, but I've told it to ignore certain destination hosts I know will be receiving lots of "short busty" tcp connections from printers.
If I place the printers in the dscan.suppress.src file it works, but I'd rather just suppress the single host these 50+ printers are talking to by placing it in the dscan.suppress.dst file. I've tried putting it in both the src & dst files, but it doesn't seem to be working. I'm sure I've missed something along the way...
"sample output from flow-dscan"
flow-dscan: port scan: src="" dst=10.xxx.106.72 ts=1083656023 start=0504.00:33:43.913
flow-dscan: port scan: src="" dst=10.xxx.106.72 ts=1083656056 start=0504.00:34:16.934
flow-dscan: port scan: src="" dst=10.xxx.106.72 ts=1083678666 start=0504.06:51:06.755
The 10.xxx.106.72 address is a host I want to be ignored in any counts for scans, but I can't seem to get it to be ignored. I've run flow-dscan with "-d9" and I see the address read when it parses the suppress files, but I've missed something in here.....
"dscan.suppress.dst"
10.xxx.106.72 - - -
"flow-scan -b -d9"
flow-dscan: load_suppress 1
flow-dscan: suppress parser: c1=10.xxx.106.72 - - -
c2=- - -
c3=- -
c4=-
David Dolgin
Manager - Security Operations
Global Network Services
Universal Music Group
818 777-8409
[EMAIL PROTECTED]
_______________________________________________ Flow-tools mailing list [EMAIL PROTECTED] http://mailman.splintered.net/mailman/listinfo/flow-tools
