Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Flexresp / interfaces

From: "Lionel Fairon" <lfairon () proof be>
Date: Mon, 2 Sep 2002 11:53:29 +0200
Ok, some route modification seems to resolve my problem :

eth0      Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2152112 errors:0 dropped:0 overruns:0 frame:0
          TX packets:298 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:1063729044 (1014.4 Mb)  TX bytes:49340 (48.1 Kb)

eth1      Link encap:Ethernet  HWaddr yy:yy:yy:yy:yy:yy
          inet addr:10.1.1.10  Bcast:XXXXXX  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:103470 errors:0 dropped:0 overruns:0 frame:0
          TX packets:69498 errors:0 dropped:0 overruns:0 carrier:0
          collisions:5071 txqueuelen:100
          RX bytes:15244412 (14.5 Mb)  TX bytes:30482344 (29.0 Mb)

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
10.1.1.10       *               255.255.255.0      U     0      0        0
eth1
default         10.1.1.1           255.0.0.0          UG  0      0        0
eth1
127.0.0.0       *                   255.0.0.0          U     0      0
0     lo
default            *                   0.0.0.0              U     0      0
0     eth0


dns server natted and reachable with 10.x ip
default gateway eth1 netmask change from 0.0.0.0 to 255.0.0.0
additional default route (no gateway) on eth0, mask 0.0.0.0

--> Communication into sec management LAN works fine, and one rst packet is
sent on eth0
        --> rst to int network : ok , rst to ext network doesn't work,
because eth0 try to ARP ext address. (with eth1 IP !)

[root@system snort]# tcpdump -i eth0 | grep ": R"
tcpdump: WARNING: eth0: no IPv4 address assigned
tcpdump: listening on eth0
11:57:59.672998 212.100.xxx.xxx.http > INT_Wall_nat.2819: R 1:1(0) ack 326
win 0



Regards,

Lionel Fairon



----- Original Message -----
From: "Chris Green" <cmg () sourcefire com>
To: "Lionel Fairon" <lfairon () proof be>
Cc: <snort-users () lists sourceforge net>
Sent: Friday, August 30, 2002 5:35 PM
Subject: Re: [Snort-users] Flexresp / interfaces



"Lionel Fairon" <lfairon () proof be> writes:


I have a linux sensor with two interfaces :
    eth0 = promiscious with no IP
    eth1 = connected on security management LAN, No routable IP

Is it possible to configure flexresp to generate rst_all packets on
eth0 ?


Nope, they follow default routing rules unfortunatley.
--
Chris Green <cmg () sourcefire com>
I've had a perfectly wonderful evening. But this wasn't it.
     -- Groucho Marx





-------------------------------------------------------
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: