Passing IP Addresses best practices

["Mike Burkhouse" <mburkhouse () learningvoyage com>]

Hi All,

I have a pretty new Snort setup: on RH 7.2, MySQL, PHP, Apache, acid.

Some of our users use Blackberries, and we have more on order.  When the
blackberries connect to our POP3 server, snort recognizes it as a POP3 TOP
Overflow attempt.  There are 7 Blackberry servers accounting for almost 1000
hits so far.

My question is whether or not there is a method available to allow these
IP's to pass through the IDS, or to ignore the presumed attack from them.
Also, has anyone else experienced this issue?  What did you do about it?  Is
there some threshold that I can set higher so that these servers don't
trigger the rule, but any new IP that matches triggers it?  Is there a 'best
practice' scenario that I should pay particular attention to?

BTW - I called Blackberry regarding the problem.  They said they looked into
it in detail and that my IDS was issuing a false positive.

Any help is greatly appreciated.

Regards,

Mike 




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users