[Snort-users] *NIX ping alerts
Keith.McCammon at ...3497...
Mon Jun 24 14:12:04 EDT 2002
I see. I suspected something like this...
I'm certainly not the authority on such things, but it would make a lot of sense (for reasons such as this) to use a static NAT scheme for any security, monitoring, and logging systems. Because you're not, you now need to pass on this traffic segment-wide, as opposed to only passing traffic sourced from your node monitor. Kind of an academic nitpick, but a fundamentally sound practice.
OK. I'm done. You know what to do!
From: Jason Gauthier [mailto:jgauthier at ...6155...]
Sent: Monday, June 24, 2002 4:56 PM
To: McCammon, Keith; Jason Gauthier; snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] *NIX ping alerts
I'll give that a try. Thanks.
> Not sure how a NAT'd packet from a single monitoring node could have one
of 256 addresses.
Because my firewall has a pool of public addresses it gives to an outbound
It translates between them:
Note, these IP addresses are fake.
220.127.116.11 => 10.10.1.100
This only holds in the xlate table for 5 minutes. When it connects the next
time it could be:
18.104.22.168 => 10.10.1.100
So, really, not 256 addresses, my pool is like 90.
More information about the Snort-users