[Snort-users] Snort_Inline + Carp

Fábio Ferrão ferrao04 at ...11827...
Thu Feb 4 10:47:46 EST 2010


Will,

Thank you very much. You're correct. The CARP traffic was matching in divert
socket and CARP was crazy.
I configured rules for CARP traffic before divert rule.
Now, the snort_inline + CARP are functioning on my test network.
I'm implementing on production network.

One more time, THANK YOU VERY MUCH.

Best Regards.

Fábio Ferrão.


Em 4 de fevereiro de 2010 10:24, Will Metcalf
<william.metcalf at ...11827...>escreveu:

>
> hmmm you are not diverting traffic your carp traffic are you?
>
> Regards,
>
> Will
> 2010/2/4 Fábio Ferrão <ferrao04 at ...11827...>
>
> Yes.
>>
>> 2010/2/3 Will Metcalf <william.metcalf at ...11827...>
>>
>> Is this FreeBSD + ipfw + divert sockets?
>>>
>>> Regards,
>>>
>>> Will
>>>
>>> 2010/2/3 Alex Kirk <akirk at ...1935...>
>>>
>>>> To be perfectly honest with you, Fabio, I'm glad to see you also
>>>> addressed this to the Snort-Users list. I've got no experience even running
>>>> CARP (I'm familiar with it in principle, but have never used it), let alone
>>>> running it with snort_inline. Hopefully someone else on the list has that
>>>> experience, and can help you out.
>>>>
>>>> 2010/2/3 Fábio Ferrão <ferrao04 at ...11827...>
>>>>
>>>> Dear Alex,
>>>>> How are you?
>>>>>
>>>>> I have a problem with snort_inline + CARP.
>>>>>
>>>>> What's the CARP? Carp is similiar VRRP, is a virtual interface between
>>>>> two firewalls on the same network.
>>>>>
>>>>> For example: FW1 is 10.10.10.3, FW2 is 10.10.10.4. Virtual IP is
>>>>> 10.10.10.2. FW1 is MASTER, therefore FW1 reply by IP 10.10.10.2. FW2 is
>>>>> BACKUP. If FW1 die, FW2's going to be the MASTER and FW2's going to reply by
>>>>> 10.10.10.2.
>>>>>
>>>>> When I initialize snort_inline with all rules enable, the FW2 changes
>>>>> for MASTER and FW1 stay MASTER, therefore I have two firewalls (FW1 and FW2)
>>>>> replying by MASTER (10.10.10.2). This can't happen! When this happen, both
>>>>> FW1 and FW2 stay crazy! The network stay crazy!
>>>>>
>>>>> I'm working for resolve this problem, but i didn't obtain the solution
>>>>> yet.
>>>>>
>>>>> Can you help me?
>>>>>
>>>>> Thanks.
>>>>>
>>>>> --
>>>>> Fábio Ferrão
>>>>>
>>>>> "E conhecereis a verdade e a verdade vos libertará".    João 8.32
>>>>> "And you will know the truth and the truth you will free".    John 8.32
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Alex Kirk
>>>> AEGIS Program Lead
>>>> Sourcefire Vulnerability Research Team
>>>> +1-410-423-1937
>>>> alex.kirk at ...1935...
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> The Planet: dedicated and managed hosting, cloud storage, colocation
>>>> Stay online with enterprise data centers and the best network in the
>>>> business
>>>> Choose flexible plans and management services without long-term
>>>> contracts
>>>> Personal 24x7 support from experience hosting pros just a phone call
>>>> away.
>>>> http://p.sf.net/sfu/theplanet-com
>>>> _______________________________________________
>>>> Snort-users mailing list
>>>> Snort-users at lists.sourceforge.net
>>>> Go to this URL to change user options or unsubscribe:
>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>> Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list archive:
>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>
>>>
>>>
>>
>>
>> --
>> Fábio Ferrão
>>
>> "E conhecereis a verdade e a verdade vos libertará".    João 8.32
>> "And you will know the truth and the truth you will free".    John 8.32
>>
>
>


-- 
Fábio Ferrão

"E conhecereis a verdade e a verdade vos libertará".    João 8.32
"And you will know the truth and the truth you will free".    John 8.32
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100204/2d19c946/attachment.html>


More information about the Snort-users mailing list