[Snort-users] Passing IP Addresses best practices

Mike Burkhouse mburkhouse at ...10152...
Tue Sep 23 08:25:24 EDT 2003

Hi All,

I have a pretty new Snort setup: on RH 7.2, MySQL, PHP, Apache, acid.

Some of our users use Blackberries, and we have more on order.  When the
blackberries connect to our POP3 server, snort recognizes it as a POP3 TOP
Overflow attempt.  There are 7 Blackberry servers accounting for almost 1000
hits so far.

My question is whether or not there is a method available to allow these
IP's to pass through the IDS, or to ignore the presumed attack from them.
Also, has anyone else experienced this issue?  What did you do about it?  Is
there some threshold that I can set higher so that these servers don't
trigger the rule, but any new IP that matches triggers it?  Is there a 'best
practice' scenario that I should pay particular attention to?

BTW - I called Blackberry regarding the problem.  They said they looked into
it in detail and that my IDS was issuing a false positive.

Any help is greatly appreciated.



More information about the Snort-users mailing list