[Snort-sigs] SID 1233 - .eml access

Jeff Kell jeff-kell at ...922...
Mon Feb 23 20:23:25 EST 2004


This alert generates a false positive on "real" webmail servers like 
Hotmail, Yahoo, and a few others.  While not comprehensive by any means, 
I have the following section you can include in threshold.conf (snort 
2.1.0 or greater) to suppress this alert for these services.

Jeff

# Comcast mailcenter - uses .eml access
suppress gen_id 1, sig_id 1233, track by_dst, ip 63.240.76.74
# Microsoft/Hotmail web servers, .eml access is expected
suppress gen_id 1, sig_id 1233, track by_dst, ip 64.4.8.0/19
suppress gen_id 1, sig_id 1233, track by_dst, ip 64.4.32.0/20
suppress gen_id 1, sig_id 1233, track by_dst, ip 64.12.184.0/24
suppress gen_id 1, sig_id 1233, track by_dst, ip 64.191.159.133
suppress gen_id 1, sig_id 1233, track by_dst, ip 65.54.168.0/21
suppress gen_id 1, sig_id 1233, track by_dst, ip 65.54.244.0/22
# Yahoo
suppress gen_id 1, sig_id 1233, track by_dst, ip 66.163.169.254
suppress gen_id 1, sig_id 1233, track by_dst, ip 66.163.170.0/24
# Microsoft/Hotmail again
suppress gen_id 1, sig_id 1233, track by_dst, ip 205.188.139.0/24
suppress gen_id 1, sig_id 1233, track by_dst, ip 207.68.160.0/21
# Yahoo
suppress gen_id 1, sig_id 1233, track by_dst, ip 216.136.224/22






More information about the Snort-sigs mailing list