Hi Andrea, I think the clarification you made in this sentences (which I propose again here) is a big problem, I don't agree with your choice and it worries me a lot:
IDS rules are not triggered for authentication attempts that meet one of the following criteria:
- Request comes from localhost, 127.0.0.1, or some other loopback indicator.
- Request comes from an IP in a private range. This indicates that the request is coming from the same network that the server is running on.
The problem is this: what happens if a criminal hacker manages to get into any of my systems and from this local network tries to forcefully attack the SmarterMail passwords?
Or if he manages to reach the SmarterMail server doing IP Spoofing and presenting himself with an IP that you have arbitrarily excluded from the checks?
From what you say he can try as much as he wants and will never be blocked by the IDS system...
The IDS system must work for ANY IP address, even 127.0.0.1 or a private ip (example: 192.168.1.10/24...).
Then it will be up to the administrator to White List the private IPs he wants.
Excluding from the IDS check all the IPs of the private classes (and/or any other "special" IP) in HardCoded mode without giving the administrator the possibility to decide WHICH are excluded or not is a big security hole!!!!