[Snort-users] Passing IP Addresses best practices

Mervin Pearce mervin at ...9893...
Thu Sep 25 11:15:02 EDT 2003


Yes, I have done such an application.  We get all the alerts via syslog
(for example) and in real time filter the events from the management
console. Please feel free to ask for a Demo

Best Regards
Mervin Pearce (CISA, CISSP)
Chief Executive Officer
Security Audit and Control Solutions
http://www.sacs.co.za
mervin at ...9893...
Tel: +27-11-913-0041
Fax: +27-11-896-1323
Mobile: +27-83-255-5356


-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Richard
Brackett
Sent: 23 September 2003 09:28 PM
To: Pig-A-Holics Anonymous
Subject: RE: [Snort-users] Passing IP Addresses best practices


So what's your opinion on Snort management interfaces? Is there such an
animal out there that I can leave Snort untouched as far as rules go and
then filter out the events I don't want after they've reached a
management interface?

-----Original Message-----
From: Erek Adams [mailto:erek at ...950...] 
Sent: Tuesday, September 23, 2003 1:39 PM
To: Mike Burkhouse
Cc: Pig-A-Holics Anonymous
Subject: RE: [Snort-users] Passing IP Addresses best practices

On Tue, 23 Sep 2003, Mike Burkhouse wrote:

> I saw that in the FAQ, but the examples used private IPs.  Being
fairly new
> at this, I didn't know if implied that it was a really_bad_idea to
pass
> public IPs, which is why I am asking about best practices.
>
> I will definitely look into BPF more closely.  Thank you for your
advice.

There is a very subtle difference between the two.  You need to make
sure that you make the right choice for you setup.

Basically:

	*  Pass rules.  Can be setup to ignore a host or set of hosts.
You can even ignore on content.  In your case an idea might be:

	var BLACKBERRY_BOXES [123.456.789.010,123.456.789.011]
	pass tcp $BLACKBERRY_BOXES any -> $MAIL_SERVERS 110 <stuff>

	You can adjust the BLACKBERRY_BOXES var as you need or use a
CIDR subnet mask such as 10.10.10.0/24.  You can also change <stuff> to
something specific, or you can just end the rule there.  IOW, you can
ignore all incoming tcp port 110 traffic from the BBservers to your
mailservers, or ignore on something specific by using a 'content:
<bleh>' statement.

	* BPF filter.  Drops the data before it even _gets_ to Snort.
Very useful if you have a lot of traffic that you want to ignore, since
there is not a CPU overhead from using the BPF.

	snort <options> 'not src host 10.10.10.0/24 and dst port 110 and
dst host <foo>'

Hope that helps!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf _______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf _______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=ort-users






More information about the Snort-users mailing list