[Snort-users] Passing IP Addresses best practices

jon baer security at ...9153...
Tue Sep 23 13:15:16 EDT 2003


im actually writing one called AirRecon (for wireless) that would work
*with* the rules.  i have experience in it because i wrote the Alicebot
application that pretty much did the same thing for AIML (XML management).
i eventually passed over java to work w/ php+mysql more so im ripping apart
acid ...

basically it takes snort as two parts - the rules + the bpf filter (as a
file which is constantly updated w/ the console).

unfortunatley im in the middle of moving but will setup a SF page when i get
back.  in the meantime i have a big list of requests for features that id
like to hear about.  i saw the airdefense ids console and was not that
impressed.

- jon

----- Original Message -----
From: "Richard Brackett" <rbrackett at ...10146...>
To: "Pig-A-Holics Anonymous" <snort-users at lists.sourceforge.net>
Sent: Tuesday, September 23, 2003 3:27 PM
Subject: RE: [Snort-users] Passing IP Addresses best practices


So what's your opinion on Snort management interfaces? Is there such an
animal out there that I can leave Snort untouched as far as rules go and
then filter out the events I don't want after they've reached a
management interface?

-----Original Message-----
From: Erek Adams [mailto:erek at ...950...]
Sent: Tuesday, September 23, 2003 1:39 PM
To: Mike Burkhouse
Cc: Pig-A-Holics Anonymous
Subject: RE: [Snort-users] Passing IP Addresses best practices

On Tue, 23 Sep 2003, Mike Burkhouse wrote:

> I saw that in the FAQ, but the examples used private IPs.  Being
fairly new
> at this, I didn't know if implied that it was a really_bad_idea to
pass
> public IPs, which is why I am asking about best practices.
>
> I will definitely look into BPF more closely.  Thank you for your
advice.

There is a very subtle difference between the two.  You need to make
sure
that you make the right choice for you setup.

Basically:

*  Pass rules.  Can be setup to ignore a host or set of hosts.
You can even ignore on content.  In your case an idea might be:

var BLACKBERRY_BOXES [123.456.789.010,123.456.789.011]
pass tcp $BLACKBERRY_BOXES any -> $MAIL_SERVERS 110 <stuff>

You can adjust the BLACKBERRY_BOXES var as you need or use a
CIDR
subnet mask such as 10.10.10.0/24.  You can also change <stuff> to
something specific, or you can just end the rule there.  IOW, you can
ignore all incoming tcp port 110 traffic from the BBservers to your
mailservers, or ignore on something specific by using a 'content:
<bleh>'
statement.

* BPF filter.  Drops the data before it even _gets_ to Snort.
Very useful if you have a lot of traffic that you want to ignore, since
there is not a CPU overhead from using the BPF.

snort <options> 'not src host 10.10.10.0/24 and dst port 110 and
dst host <foo>'

Hope that helps!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=ort-users






More information about the Snort-users mailing list