[Snort-users] Flexresp / interfaces

Lionel Fairon lfairon at ...6567...
Mon Sep 2 03:05:47 EDT 2002


Ok, some route modification seems to resolve my problem :

eth0      Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2152112 errors:0 dropped:0 overruns:0 frame:0
          TX packets:298 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:1063729044 (1014.4 Mb)  TX bytes:49340 (48.1 Kb)

eth1      Link encap:Ethernet  HWaddr yy:yy:yy:yy:yy:yy
          inet addr:10.1.1.10  Bcast:XXXXXX  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:103470 errors:0 dropped:0 overruns:0 frame:0
          TX packets:69498 errors:0 dropped:0 overruns:0 carrier:0
          collisions:5071 txqueuelen:100
          RX bytes:15244412 (14.5 Mb)  TX bytes:30482344 (29.0 Mb)

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
10.1.1.10       *               255.255.255.0      U     0      0        0
eth1
default         10.1.1.1           255.0.0.0          UG  0      0        0
eth1
127.0.0.0       *                   255.0.0.0          U     0      0
0     lo
default            *                   0.0.0.0              U     0      0
0     eth0


dns server natted and reachable with 10.x ip
default gateway eth1 netmask change from 0.0.0.0 to 255.0.0.0
additional default route (no gateway) on eth0, mask 0.0.0.0

--> Communication into sec management LAN works fine, and one rst packet is
sent on eth0
        --> rst to int network : ok , rst to ext network doesn't work,
because eth0 try to ARP ext address. (with eth1 IP !)

[root at ...3970... snort]# tcpdump -i eth0 | grep ": R"
tcpdump: WARNING: eth0: no IPv4 address assigned
tcpdump: listening on eth0
11:57:59.672998 212.100.xxx.xxx.http > INT_Wall_nat.2819: R 1:1(0) ack 326
win 0



Regards,

Lionel Fairon



----- Original Message -----
From: "Chris Green" <cmg at ...1935...>
To: "Lionel Fairon" <lfairon at ...6567...>
Cc: <snort-users at lists.sourceforge.net>
Sent: Friday, August 30, 2002 5:35 PM
Subject: Re: [Snort-users] Flexresp / interfaces


> "Lionel Fairon" <lfairon at ...6567...> writes:
>
> > I have a linux sensor with two interfaces :
> >     eth0 = promiscious with no IP
> >     eth1 = connected on security management LAN, No routable IP
> >
> > Is it possible to configure flexresp to generate rst_all packets on
> > eth0 ?
>
> Nope, they follow default routing rules unfortunatley.
> --
> Chris Green <cmg at ...1935...>
> I've had a perfectly wonderful evening. But this wasn't it.
>      -- Groucho Marx
>





More information about the Snort-users mailing list