[Snort-users] Snort_Inline + Carp

Will Metcalf william.metcalf at ...11827...
Wed Feb 3 18:40:02 EST 2010


Is this FreeBSD + ipfw + divert sockets?

Regards,

Will

2010/2/3 Alex Kirk <akirk at ...1935...>

> To be perfectly honest with you, Fabio, I'm glad to see you also addressed
> this to the Snort-Users list. I've got no experience even running CARP (I'm
> familiar with it in principle, but have never used it), let alone running it
> with snort_inline. Hopefully someone else on the list has that experience,
> and can help you out.
>
> 2010/2/3 Fábio Ferrão <ferrao04 at ...11827...>
>
> Dear Alex,
>> How are you?
>>
>> I have a problem with snort_inline + CARP.
>>
>> What's the CARP? Carp is similiar VRRP, is a virtual interface between two
>> firewalls on the same network.
>>
>> For example: FW1 is 10.10.10.3, FW2 is 10.10.10.4. Virtual IP is
>> 10.10.10.2. FW1 is MASTER, therefore FW1 reply by IP 10.10.10.2. FW2 is
>> BACKUP. If FW1 die, FW2's going to be the MASTER and FW2's going to reply by
>> 10.10.10.2.
>>
>> When I initialize snort_inline with all rules enable, the FW2 changes for
>> MASTER and FW1 stay MASTER, therefore I have two firewalls (FW1 and FW2)
>> replying by MASTER (10.10.10.2). This can't happen! When this happen, both
>> FW1 and FW2 stay crazy! The network stay crazy!
>>
>> I'm working for resolve this problem, but i didn't obtain the solution
>> yet.
>>
>> Can you help me?
>>
>> Thanks.
>>
>> --
>> Fábio Ferrão
>>
>> "E conhecereis a verdade e a verdade vos libertará".    João 8.32
>> "And you will know the truth and the truth you will free".    John 8.32
>>
>
>
>
> --
> Alex Kirk
> AEGIS Program Lead
> Sourcefire Vulnerability Research Team
> +1-410-423-1937
> alex.kirk at ...1935...
>
>
> ------------------------------------------------------------------------------
> The Planet: dedicated and managed hosting, cloud storage, colocation
> Stay online with enterprise data centers and the best network in the
> business
> Choose flexible plans and management services without long-term contracts
> Personal 24x7 support from experience hosting pros just a phone call away.
> http://p.sf.net/sfu/theplanet-com
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100203/f7e044d3/attachment.html>


More information about the Snort-users mailing list