[Snort-users] *NIX ping alerts

McCammon, Keith Keith.McCammon at ...3497...
Mon Jun 24 14:12:04 EDT 2002


I see.  I suspected something like this...

[Off Topic]

I'm certainly not the authority on such things, but it would make a lot of sense (for reasons such as this) to use a static NAT scheme for any security, monitoring, and logging systems.  Because you're not, you now need to pass on this traffic segment-wide, as opposed to only passing traffic sourced from your node monitor.  Kind of an academic nitpick, but a fundamentally sound practice.

OK.  I'm done.  You know what to do!

Cheers

Keith 


-----Original Message-----
From: Jason Gauthier [mailto:jgauthier at ...6155...]
Sent: Monday, June 24, 2002 4:56 PM
To: McCammon, Keith; Jason Gauthier; snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] *NIX ping alerts


I'll give that a try. Thanks.

> Not sure how a NAT'd packet from a single monitoring node could have one
of 256 addresses.  
>Sounds fishy...


Because my firewall has a pool of public addresses it gives to an outbound
connection.
It translates between them:

Note, these IP addresses are fake.

Public                   Private
------                   --------
130.19.11.45    =>       10.10.1.100

This only holds in the xlate table for 5 minutes. When it connects the next
time it could be:

Public                   Private
------                   --------
130.19.11.119    =>       10.10.1.100


So, really, not 256 addresses, my pool is like 90.







More information about the Snort-users mailing list