RE: *NIX ping alerts

["McCammon, Keith" <Keith.McCammon () eadvancemed com>]

I see.  I suspected something like this...

[Off Topic]

I'm certainly not the authority on such things, but it would make a lot of sense (for reasons such as this) to use a 
static NAT scheme for any security, monitoring, and logging systems.  Because you're not, you now need to pass on this 
traffic segment-wide, as opposed to only passing traffic sourced from your node monitor.  Kind of an academic nitpick, 
but a fundamentally sound practice.

OK.  I'm done.  You know what to do!

Cheers

Keith 


-----Original Message-----
From: Jason Gauthier [mailto:jgauthier () lastar com]
Sent: Monday, June 24, 2002 4:56 PM
To: McCammon, Keith; Jason Gauthier; snort-users () lists sourceforge net
Subject: RE: [Snort-users] *NIX ping alerts


I'll give that a try. Thanks.

> Not sure how a NAT'd packet from a single monitoring node could have one
of 256 addresses.  
> Sounds fishy...


Because my firewall has a pool of public addresses it gives to an outbound
connection.
It translates between them:

Note, these IP addresses are fake.

Public                   Private
------                   --------
130.19.11.45    =>       10.10.1.100

This only holds in the xlate table for 5 minutes. When it connects the next
time it could be:

Public                   Private
------                   --------
130.19.11.119    =>       10.10.1.100


So, really, not 256 addresses, my pool is like 90.





-------------------------------------------------------
Sponsored by:
ThinkGeek at http://www.ThinkGeek.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users