[Snort-users] Passing IP Addresses best practices
mburkhouse at ...10152...
Tue Sep 23 09:18:31 EDT 2003
I saw that in the FAQ, but the examples used private IPs. Being fairly new
at this, I didn't know if implied that it was a really_bad_idea to pass
public IPs, which is why I am asking about best practices.
I will definitely look into BPF more closely. Thank you for your advice.
From: Erek Adams [mailto:erek at ...950...]
Sent: Tuesday, September 23, 2003 11:07 AM
To: Mike Burkhouse
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Passing IP Addresses best practices
On Tue, 23 Sep 2003, Mike Burkhouse wrote:
> I have a pretty new Snort setup: on RH 7.2, MySQL, PHP, Apache, acid.
> Some of our users use Blackberries, and we have more on order. When
> the blackberries connect to our POP3 server, snort recognizes it as a
> POP3 TOP Overflow attempt. There are 7 Blackberry servers accounting
> for almost 1000 hits so far.
> My question is whether or not there is a method available to allow
> these IP's to pass through the IDS, or to ignore the presumed attack
> from them. Also, has anyone else experienced this issue? What did you
> do about it? Is there some threshold that I can set higher so that
> these servers don't trigger the rule, but any new IP that matches
> triggers it? Is there a 'best practice' scenario that I should pay
> particular attention to?
> BTW - I called Blackberry regarding the problem. They said they
> looked into it in detail and that my IDS was issuing a false positive.
Use BPF filters or Pass rules. FAQ 3.9 
"When things get weird, the weird turn pro." H.S. Thompson
More information about the Snort-users