[Snort-users] Passing IP Addresses best practices

Mike Burkhouse mburkhouse at ...10152...
Tue Sep 23 09:18:31 EDT 2003


Thanks Erik.

I saw that in the FAQ, but the examples used private IPs.  Being fairly new
at this, I didn't know if implied that it was a really_bad_idea to pass
public IPs, which is why I am asking about best practices.

I will definitely look into BPF more closely.  Thank you for your advice.

Mike

-----Original Message-----
From: Erek Adams [mailto:erek at ...950...] 
Sent: Tuesday, September 23, 2003 11:07 AM
To: Mike Burkhouse
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Passing IP Addresses best practices


On Tue, 23 Sep 2003, Mike Burkhouse wrote:

> I have a pretty new Snort setup: on RH 7.2, MySQL, PHP, Apache, acid.
>
> Some of our users use Blackberries, and we have more on order.  When 
> the blackberries connect to our POP3 server, snort recognizes it as a 
> POP3 TOP Overflow attempt.  There are 7 Blackberry servers accounting 
> for almost 1000 hits so far.
>
> My question is whether or not there is a method available to allow 
> these IP's to pass through the IDS, or to ignore the presumed attack 
> from them. Also, has anyone else experienced this issue?  What did you 
> do about it?  Is there some threshold that I can set higher so that 
> these servers don't trigger the rule, but any new IP that matches 
> triggers it?  Is there a 'best practice' scenario that I should pay 
> particular attention to?
>
> BTW - I called Blackberry regarding the problem.  They said they 
> looked into it in detail and that my IDS was issuing a false positive.

Use BPF filters or Pass rules.  FAQ 3.9 [0]

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


[0]	http://www.snort.org/docs/FAQ.txt







More information about the Snort-users mailing list