RE: OpenBSD, snort, Two nic's outside network

["Robert Schwartz" <robert () mrsquirrel com>]

> -----Original Message-----
> From: snort-users-admin () lists sourceforge net 
> [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Jonathan
> Sent: Saturday, June 22, 2002 1:26 PM
> To: snort-users () lists sourceforge net
> Subject: [Snort-users] OpenBSD, snort, Two nic's outside network
>
>
> Hello,
>
> Recently, A disk died on our IDS box.  It runs OpenBSD, psql 
> logs to our DB and it has two ethernet cards.  I was able to 
> get everything from backups which brings me to the problem.  
> I essentially copied the old /etc/ into the new /etc/.  I 

Did you install a new binary release before restoring files?  If so is
that release the same version as you had in your backups? 

> would presume nothing had changed, but wrong.  The network 

If it's the same version as the previous install then nothing has
changed in /etc.  If it's a newer version then check the OpenBSD upgrade
mini-faq on the FAQ page of their web site before merging the contents
of /etc.

> comes up and works great for our internal network but I am 
> unable to reach the outside world.  Host resolves names, 

> From the IDS box?  What do you mean by "reach" the outside world?  Can
you use the inside interface of the IDS box to route through your
internal firewall/router?  Perhaps the outside interface was left
without any IP addresses on purpose.

> traceroute stops at the gateway.  Everything appears normal 
> and snort evenstarts

What gateway?  The default gateway?  An internal firewall?  Your ISP's
router?  Which interface is the traceroute using?  If the gateway is
dropping it's packets then it's a router problem.

> ifconfig -a
>
> ti0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>         media: Ethernet autoselect (1000baseTX full-duplex)
>         status: active
>         inet6 fe80::202:e3ff:fe00:42f0%ti0 prefixlen 64 scopeid 0x1 
> de0: 
> flags=8863<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST> mtu 
> 1500
>         media: Ethernet autoselect (100baseTX full-duplex)
>         status: active
>         inet 128.105.a.12 netmask 0xffffff00 broadcast 128.105.a.255
>         inet6 fe80::2c0:f0ff:fe30:df78%de0 prefixlen 64 scopeid 0x2
> pflog0: flags=0<> mtu 33224 sl0: 
> flags=c010<POINTOPOINT,LINK2,MULTICAST>
> mtu 296 sl1: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 296 


Which interface is de0?  128.105.a.12?  Is that inside or out?  
What interface is ti0?  Why doesn't it have an IP address?
What's your default gateway?

you can check the /etc/hostname.if files and the /etc/mygate file to
find that out.  Some problems might arise if you overwrote certain files
in /etc or if there were site specific configuration details in the
global startup files (people using route add in rc instead of rc.local
etc, people use ifconfig in an rc file instead of hostname.if files,
etc) that weren't migrated back over. 



-------------------------------------------------------
Sponsored by:
ThinkGeek at http://www.ThinkGeek.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users