Snort mailing list archives
Re: Passing IP Addresses best practices
From: "jon baer" <security () jonbaer net>
Date: Tue, 23 Sep 2003 16:13:48 -0400
im actually writing one called AirRecon (for wireless) that would work *with* the rules. i have experience in it because i wrote the Alicebot application that pretty much did the same thing for AIML (XML management). i eventually passed over java to work w/ php+mysql more so im ripping apart acid ... basically it takes snort as two parts - the rules + the bpf filter (as a file which is constantly updated w/ the console). unfortunatley im in the middle of moving but will setup a SF page when i get back. in the meantime i have a big list of requests for features that id like to hear about. i saw the airdefense ids console and was not that impressed. - jon ----- Original Message ----- From: "Richard Brackett" <rbrackett () securityvolition com> To: "Pig-A-Holics Anonymous" <snort-users () lists sourceforge net> Sent: Tuesday, September 23, 2003 3:27 PM Subject: RE: [Snort-users] Passing IP Addresses best practices So what's your opinion on Snort management interfaces? Is there such an animal out there that I can leave Snort untouched as far as rules go and then filter out the events I don't want after they've reached a management interface? -----Original Message----- From: Erek Adams [mailto:erek () snort org] Sent: Tuesday, September 23, 2003 1:39 PM To: Mike Burkhouse Cc: Pig-A-Holics Anonymous Subject: RE: [Snort-users] Passing IP Addresses best practices On Tue, 23 Sep 2003, Mike Burkhouse wrote:
I saw that in the FAQ, but the examples used private IPs. Being
fairly new
at this, I didn't know if implied that it was a really_bad_idea to
pass
public IPs, which is why I am asking about best practices. I will definitely look into BPF more closely. Thank you for your
advice. There is a very subtle difference between the two. You need to make sure that you make the right choice for you setup. Basically: * Pass rules. Can be setup to ignore a host or set of hosts. You can even ignore on content. In your case an idea might be: var BLACKBERRY_BOXES [123.456.789.010,123.456.789.011] pass tcp $BLACKBERRY_BOXES any -> $MAIL_SERVERS 110 <stuff> You can adjust the BLACKBERRY_BOXES var as you need or use a CIDR subnet mask such as 10.10.10.0/24. You can also change <stuff> to something specific, or you can just end the rule there. IOW, you can ignore all incoming tcp port 110 traffic from the BBservers to your mailservers, or ignore on something specific by using a 'content: <bleh>' statement. * BPF filter. Drops the data before it even _gets_ to Snort. Very useful if you have a lot of traffic that you want to ignore, since there is not a CPU overhead from using the BPF. snort <options> 'not src host 10.10.10.0/24 and dst port 110 and dst host <foo>' Hope that helps! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=ort-users ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Passing IP Addresses best practices Mike Burkhouse (Sep 23)
- Re: Passing IP Addresses best practices Erek Adams (Sep 23)
- RE: Passing IP Addresses best practices Mike Burkhouse (Sep 23)
- RE: Passing IP Addresses best practices Erek Adams (Sep 23)
- RE: Passing IP Addresses best practices Mike Burkhouse (Sep 23)
- RE: Passing IP Addresses best practices Mike Burkhouse (Sep 23)
- Re: Passing IP Addresses best practices Erek Adams (Sep 23)
- <Possible follow-ups>
- RE: Passing IP Addresses best practices Richard Brackett (Sep 23)
- Re: Passing IP Addresses best practices jon baer (Sep 23)
- RE: Passing IP Addresses best practices Erek Adams (Sep 24)
- RE: Passing IP Addresses best practices Mervin Pearce (Sep 25)