[Snort-users] Passing IP Addresses best practices
Erek Adams
erek at ...950...
Tue Sep 23 09:08:05 EDT 2003
On Tue, 23 Sep 2003, Mike Burkhouse wrote:
> I have a pretty new Snort setup: on RH 7.2, MySQL, PHP, Apache, acid.
>
> Some of our users use Blackberries, and we have more on order. When the
> blackberries connect to our POP3 server, snort recognizes it as a POP3 TOP
> Overflow attempt. There are 7 Blackberry servers accounting for almost 1000
> hits so far.
>
> My question is whether or not there is a method available to allow these
> IP's to pass through the IDS, or to ignore the presumed attack from them.
> Also, has anyone else experienced this issue? What did you do about it? Is
> there some threshold that I can set higher so that these servers don't
> trigger the rule, but any new IP that matches triggers it? Is there a 'best
> practice' scenario that I should pay particular attention to?
>
> BTW - I called Blackberry regarding the problem. They said they looked into
> it in detail and that my IDS was issuing a false positive.
Use BPF filters or Pass rules. FAQ 3.9 [0]
Cheers!
-----
Erek Adams
"When things get weird, the weird turn pro." H.S. Thompson
[0] http://www.snort.org/docs/FAQ.txt
More information about the Snort-users
mailing list