Snort mailing list archives

Re: Snort_Inline + Carp

From: "Mark W. Jeanmougin" <mark.jeanmougin () cchmc org>
Date: Thu, 04 Feb 2010 09:56:43 -0500

Fabio,

I had something similar to this happen.  I was using CheckPoint 
firewalls with their high availability protocol.  So, similar, but not 
identical to CARP.  The issue was latency.  It took too long for the 
heartbeat packets to make it through the inline sensor.

So, we changed the setup so that the heartbeats did not go through the 
inline sensor.  Does that make sense?

Thanks,

MJ


On 02/03/2010 04:03 PM, Fábio Ferrão wrote:

Dear Alex,
How are you?

I have a problem with snort_inline + CARP.

What's the CARP? Carp is similiar VRRP, is a virtual interface between
two firewalls on the same network.

For example: FW1 is 10.10.10.3, FW2 is 10.10.10.4. Virtual IP is
10.10.10.2. FW1 is MASTER, therefore FW1 reply by IP 10.10.10.2. FW2 is
BACKUP. If FW1 die, FW2's going to be the MASTER and FW2's going to
reply by 10.10.10.2.

When I initialize snort_inline with all rules enable, the FW2 changes
for MASTER and FW1 stay MASTER, therefore I have two firewalls (FW1 and
FW2) replying by MASTER (10.10.10.2). This can't happen! When this
happen, both FW1 and FW2 stay crazy! The network stay crazy!

I'm working for resolve this problem, but i didn't obtain the solution yet.

Can you help me?

Thanks.

--
Fábio Ferrão


------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort_Inline + Carp Fábio Ferrão (Feb 03)
- Re: Snort_Inline + Carp Alex Kirk (Feb 03)
  - Re: Snort_Inline + Carp Will Metcalf (Feb 03)
    - Message not available
    - Message not available
    - Re: Snort_Inline + Carp Fábio Ferrão (Feb 04)
- Re: Snort_Inline + Carp Mark W. Jeanmougin (Feb 04)