Re: Snort_Inline + Carp

[Fábio Ferrão <ferrao04 () gmail com>]

Will,

Thank you very much. You're correct. The CARP traffic was matching in divert
socket and CARP was crazy.
I configured rules for CARP traffic before divert rule.
Now, the snort_inline + CARP are functioning on my test network.
I'm implementing on production network.

One more time, THANK YOU VERY MUCH.

Best Regards.

Fábio Ferrão.


Em 4 de fevereiro de 2010 10:24, Will Metcalf
<william.metcalf () gmail com>escreveu:

> hmmm you are not diverting traffic your carp traffic are you?
>
> Regards,
>
> Will
> 2010/2/4 Fábio Ferrão <ferrao04 () gmail com>
>
> Yes.
> > 2010/2/3 Will Metcalf <william.metcalf () gmail com>
> >
> > Is this FreeBSD + ipfw + divert sockets?
> > > Regards,
> > >
> > > Will
> > >
> > > 2010/2/3 Alex Kirk <akirk () sourcefire com>
> > >
> > > > To be perfectly honest with you, Fabio, I'm glad to see you also
> > > > addressed this to the Snort-Users list. I've got no experience even running
> > > > CARP (I'm familiar with it in principle, but have never used it), let alone
> > > > running it with snort_inline. Hopefully someone else on the list has that
> > > > experience, and can help you out.
> > > >
> > > > 2010/2/3 Fábio Ferrão <ferrao04 () gmail com>
> > > >
> > > > Dear Alex,
> > > > > How are you?
> > > > >
> > > > > I have a problem with snort_inline + CARP.
> > > > >
> > > > > What's the CARP? Carp is similiar VRRP, is a virtual interface between
> > > > > two firewalls on the same network.
> > > > >
> > > > > For example: FW1 is 10.10.10.3, FW2 is 10.10.10.4. Virtual IP is
> > > > > 10.10.10.2. FW1 is MASTER, therefore FW1 reply by IP 10.10.10.2. FW2 is
> > > > > BACKUP. If FW1 die, FW2's going to be the MASTER and FW2's going to reply by
> > > > > 10.10.10.2.
> > > > >
> > > > > When I initialize snort_inline with all rules enable, the FW2 changes
> > > > > for MASTER and FW1 stay MASTER, therefore I have two firewalls (FW1 and FW2)
> > > > > replying by MASTER (10.10.10.2). This can't happen! When this happen, both
> > > > > FW1 and FW2 stay crazy! The network stay crazy!
> > > > >
> > > > > I'm working for resolve this problem, but i didn't obtain the solution
> > > > > yet.
> > > > >
> > > > > Can you help me?
> > > > >
> > > > > Thanks.
> > > > >
> > > > > --
> > > > > Fábio Ferrão
> > > > >
> > > > > "E conhecereis a verdade e a verdade vos libertará".    João 8.32
> > > > > "And you will know the truth and the truth you will free".    John 8.32
> > > >
> > > >
> > > >
> > > > --
> > > > Alex Kirk
> > > > AEGIS Program Lead
> > > > Sourcefire Vulnerability Research Team
> > > > +1-410-423-1937
> > > > alex.kirk () sourcefire com
> > > >
> > > >
> > > > ------------------------------------------------------------------------------
> > > > The Planet: dedicated and managed hosting, cloud storage, colocation
> > > > Stay online with enterprise data centers and the best network in the
> > > > business
> > > > Choose flexible plans and management services without long-term
> > > > contracts
> > > > Personal 24x7 support from experience hosting pros just a phone call
> > > > away.
> > > > http://p.sf.net/sfu/theplanet-com
> > > > _______________________________________________
> > > > Snort-users mailing list
> > > > Snort-users () lists sourceforge net
> > > > Go to this URL to change user options or unsubscribe:
> > > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list archive:
> > > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> >
> > --
> > Fábio Ferrão
> >
> > "E conhecereis a verdade e a verdade vos libertará".    João 8.32
> > "And you will know the truth and the truth you will free".    John 8.32


-- 
Fábio Ferrão

"E conhecereis a verdade e a verdade vos libertará".    João 8.32
"And you will know the truth and the truth you will free".    John 8.32

------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users