Thu Nov 23 16:36:19 EST 2017
you use the inside interface of the IDS box to route through your
internal firewall/router? Perhaps the outside interface was left
without any IP addresses on purpose.
> traceroute stops at the gateway. Everything appears normal=20
> and snort evenstarts
What gateway? The default gateway? An internal firewall? Your ISP's
router? Which interface is the traceroute using? If the gateway is
dropping it's packets then it's a router problem.
> ifconfig -a
> ti0: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> media: Ethernet autoselect (1000baseTX full-duplex)
> status: active
> inet6 fe80::202:e3ff:fe00:42f0%ti0 prefixlen 64 scopeid 0x1=20
> flags=3D8863<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST> mtu=20
> media: Ethernet autoselect (100baseTX full-duplex)
> status: active
> inet 128.105.a.12 netmask 0xffffff00 broadcast 128.105.a.255
> inet6 fe80::2c0:f0ff:fe30:df78%de0 prefixlen 64 scopeid 0x2
> pflog0: flags=3D0<> mtu 33224 sl0:=20
> mtu 296 sl1: flags=3Dc010<POINTOPOINT,LINK2,MULTICAST> mtu 296=20
Which interface is de0? 128.105.a.12? Is that inside or out?=20=20
What interface is ti0? Why doesn't it have an IP address?
What's your default gateway?
you can check the /etc/hostname.if files and the /etc/mygate file to
find that out. Some problems might arise if you overwrote certain files
in /etc or if there were site specific configuration details in the
global startup files (people using route add in rc instead of rc.local
etc, people use ifconfig in an rc file instead of hostname.if files,
etc) that weren't migrated back over.=20
More information about the Snort-users