[Snort-users] Passing IP Addresses best practices

Mike Burkhouse mburkhouse at ...10152...
Tue Sep 23 10:46:04 EDT 2003


This was incredibly informative.  Thanks again, Erik.

I appreciate you help.

Mike

-----Original Message-----
From: Erek Adams [mailto:erek at ...950...] 
Sent: Tuesday, September 23, 2003 12:39 PM
To: Mike Burkhouse
Cc: Pig-A-Holics Anonymous
Subject: RE: [Snort-users] Passing IP Addresses best practices


On Tue, 23 Sep 2003, Mike Burkhouse wrote:

> I saw that in the FAQ, but the examples used private IPs.  Being 
> fairly new at this, I didn't know if implied that it was a 
> really_bad_idea to pass public IPs, which is why I am asking about 
> best practices.
>
> I will definitely look into BPF more closely.  Thank you for your 
> advice.

There is a very subtle difference between the two.  You need to make sure
that you make the right choice for you setup.

Basically:

	*  Pass rules.  Can be setup to ignore a host or set of hosts. You
can even ignore on content.  In your case an idea might be:

	var BLACKBERRY_BOXES [123.456.789.010,123.456.789.011]
	pass tcp $BLACKBERRY_BOXES any -> $MAIL_SERVERS 110 <stuff>

	You can adjust the BLACKBERRY_BOXES var as you need or use a CIDR
subnet mask such as 10.10.10.0/24.  You can also change <stuff> to something
specific, or you can just end the rule there.  IOW, you can ignore all
incoming tcp port 110 traffic from the BBservers to your mailservers, or
ignore on something specific by using a 'content: <bleh>' statement.

	* BPF filter.  Drops the data before it even _gets_ to Snort. Very
useful if you have a lot of traffic that you want to ignore, since there is
not a CPU overhead from using the BPF.

	snort <options> 'not src host 10.10.10.0/24 and dst port 110 and dst
host <foo>'

Hope that helps!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson







More information about the Snort-users mailing list