Snort mailing list archives
RE: Passing IP Addresses best practices
From: "Mike Burkhouse" <mburkhouse () learningvoyage com>
Date: Tue, 23 Sep 2003 12:16:22 -0400
Thanks Erik. I saw that in the FAQ, but the examples used private IPs. Being fairly new at this, I didn't know if implied that it was a really_bad_idea to pass public IPs, which is why I am asking about best practices. I will definitely look into BPF more closely. Thank you for your advice. Mike -----Original Message----- From: Erek Adams [mailto:erek () snort org] Sent: Tuesday, September 23, 2003 11:07 AM To: Mike Burkhouse Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Passing IP Addresses best practices On Tue, 23 Sep 2003, Mike Burkhouse wrote:
I have a pretty new Snort setup: on RH 7.2, MySQL, PHP, Apache, acid. Some of our users use Blackberries, and we have more on order. When the blackberries connect to our POP3 server, snort recognizes it as a POP3 TOP Overflow attempt. There are 7 Blackberry servers accounting for almost 1000 hits so far. My question is whether or not there is a method available to allow these IP's to pass through the IDS, or to ignore the presumed attack from them. Also, has anyone else experienced this issue? What did you do about it? Is there some threshold that I can set higher so that these servers don't trigger the rule, but any new IP that matches triggers it? Is there a 'best practice' scenario that I should pay particular attention to? BTW - I called Blackberry regarding the problem. They said they looked into it in detail and that my IDS was issuing a false positive.
Use BPF filters or Pass rules. FAQ 3.9 [0] Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson [0] http://www.snort.org/docs/FAQ.txt ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Passing IP Addresses best practices Mike Burkhouse (Sep 23)
- Re: Passing IP Addresses best practices Erek Adams (Sep 23)
- RE: Passing IP Addresses best practices Mike Burkhouse (Sep 23)
- RE: Passing IP Addresses best practices Erek Adams (Sep 23)
- RE: Passing IP Addresses best practices Mike Burkhouse (Sep 23)
- RE: Passing IP Addresses best practices Mike Burkhouse (Sep 23)
- Re: Passing IP Addresses best practices Erek Adams (Sep 23)
- <Possible follow-ups>
- RE: Passing IP Addresses best practices Richard Brackett (Sep 23)
- Re: Passing IP Addresses best practices jon baer (Sep 23)
- RE: Passing IP Addresses best practices Erek Adams (Sep 24)
- RE: Passing IP Addresses best practices Mervin Pearce (Sep 25)