[Snort-users] *NIX ping alerts

Jason Gauthier jgauthier at ...6155...
Mon Jun 24 14:16:03 EDT 2002


Well, it sure would make the pass rule easier, and still monitor the rest of
my public address space.

Will do. Thanks for the advice.


>-----Original Message-----
>From: McCammon, Keith [mailto:Keith.McCammon at ...3497...]
>Sent: Monday, June 24, 2002 5:10 PM
>To: Jason Gauthier; snort-users at lists.sourceforge.net
>Subject: RE: [Snort-users] *NIX ping alerts
>
>
>I see.  I suspected something like this...
>
>[Off Topic]
>
>I'm certainly not the authority on such things, but it would 
>make a lot of sense (for reasons such as this) to use a static 
>NAT scheme for any security, monitoring, and logging systems.  
>Because you're not, you now need to pass on this traffic 
>segment-wide, as opposed to only passing traffic sourced from 
>your node monitor.  Kind of an academic nitpick, but a 
>fundamentally sound practice.
>
>OK.  I'm done.  You know what to do!
>
>Cheers
>
>Keith 
>
>
>-----Original Message-----
>From: Jason Gauthier [mailto:jgauthier at ...6155...]
>Sent: Monday, June 24, 2002 4:56 PM
>To: McCammon, Keith; Jason Gauthier; snort-users at lists.sourceforge.net
>Subject: RE: [Snort-users] *NIX ping alerts
>
>
>I'll give that a try. Thanks.
>
>> Not sure how a NAT'd packet from a single monitoring node 
>could have one
>of 256 addresses.  
>>Sounds fishy...
>
>
>Because my firewall has a pool of public addresses it gives to 
>an outbound
>connection.
>It translates between them:
>
>Note, these IP addresses are fake.
>
>Public                   Private
>------                   --------
>130.19.11.45    =>       10.10.1.100
>
>This only holds in the xlate table for 5 minutes. When it 
>connects the next
>time it could be:
>
>Public                   Private
>------                   --------
>130.19.11.119    =>       10.10.1.100
>
>
>So, really, not 256 addresses, my pool is like 90.
>
>
>




More information about the Snort-users mailing list