[Snort-users] Passing IP Addresses best practices

Erek Adams erek at ...950...
Tue Sep 23 09:08:05 EDT 2003


On Tue, 23 Sep 2003, Mike Burkhouse wrote:

> I have a pretty new Snort setup: on RH 7.2, MySQL, PHP, Apache, acid.
>
> Some of our users use Blackberries, and we have more on order.  When the
> blackberries connect to our POP3 server, snort recognizes it as a POP3 TOP
> Overflow attempt.  There are 7 Blackberry servers accounting for almost 1000
> hits so far.
>
> My question is whether or not there is a method available to allow these
> IP's to pass through the IDS, or to ignore the presumed attack from them.
> Also, has anyone else experienced this issue?  What did you do about it?  Is
> there some threshold that I can set higher so that these servers don't
> trigger the rule, but any new IP that matches triggers it?  Is there a 'best
> practice' scenario that I should pay particular attention to?
>
> BTW - I called Blackberry regarding the problem.  They said they looked into
> it in detail and that my IDS was issuing a false positive.

Use BPF filters or Pass rules.  FAQ 3.9 [0]

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


[0]	http://www.snort.org/docs/FAQ.txt




More information about the Snort-users mailing list