Re: using flex-resp without an IP address

[Erek Adams <erek () snort org>]

On Tue, 18 Mar 2003, Eric Baur wrote:

>       In order to use the flexible response capability in snort, is it
> required that the interface snort is listening on have an IP address?
>       In our current set up, we have a snort box (running on Linux,
> snort-1.9.0) that has an IP address behind the firewall and then an
> interface running w/out an IP in front of the firewall that snort is
> listening on.  We'd like to be able to use the flex-resp option to kill
> traffic on the outside of our firewall (for slightly better response time,
> in part), but it doesn't seem to be working.
>       I gave it an IP address temporarily, and it seems to be working now,
> but I don't consider that a long term solution - since we don't want to be
> running it unprotected.

If you don't have an IP you can't send IP traffic.  If you want it to send
data back, you'll need to add a _third_ interface and statically route all
outbound traffic out that NIC.

To be honest, move it behind the firewall.  If the packets are on the
'front side' of the firewall, they've crossed your WAN link, which means
bandwith used.  Deny all at the FW, only allow selected things.  Put snort
behind it, and the management NIC on a seperate segment.  You're done...

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.net email is sponsored by: Does your code think in ink? 
You could win a Tablet PC. Get a free Tablet PC hat just for playing. 
What are you waiting for?
http://ads.sourceforge.net/cgi-bin/redirect.pl?micr5043en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users