Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Does Snort work on Virtual IP's?

    Scheduled Pinned Locked Moved pfSense Packages
    9 Posts 4 Posters 2.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Supermule Banned
      last edited by

      Does Snort work on Virtual IP's setup as Proxy ARP's?

      If I had a /228 range, does it monitor every virtual IP on WAN?

      1 Reply Last reply Reply Quote 0
      • S
        Supermule Banned
        last edited by

        /26 range that is….

        1 Reply Last reply Reply Quote 0
        • C
          cmb
          last edited by

          Yes, it passively listens, IPs are irrelevant.

          1 Reply Last reply Reply Quote 0
          • S
            Supermule Banned
            last edited by

            Thx Chris! Happy new years to you and your family and thanks for all the support in 2012!

            1 Reply Last reply Reply Quote 0
            • J
              joako
              last edited by

              Hate to dig up an old topic but I have Snort running on the WAN  interface and a virtual IP newly added to the WAN interface. The same traffic passed through the virtual IP does not trigger Snort blocking or an alert entry in the log. I can run nmap once from a remote host to the WAN IP and it will immediately alert & block but on the virtual IP I can nmap 10x without any effects.

              1 Reply Last reply Reply Quote 0
              • bmeeksB
                bmeeks
                last edited by

                @joako:

                Hate to dig up an old topic but I have Snort running on the LAN  interface and a virtual IP newly added to the LAN interface. The same traffic passed through the virtual IP does not trigger Snort blocking or an alert entry in the log. I can run nmap once from a remote host to the WAN IP and it will immediately alert & block but on the virtual IP I can nmap 10x without any effects.

                Virtual IPs seem to have their own unique problems.  Supermule has reported issues with Virtual IPs in his WAN getting blocked (at least that was true with the previous 2.9.2.3 version).  Haven't heard from him yet whether or nor the same issue exists with 2.9.4.1.

                I have not gotten around to it yet, but I want to build a CARP/Virtual IP environment in VMware and test out Snort and virtual IPs.

                Bill

                1 Reply Last reply Reply Quote 0
                • S
                  Supermule Banned
                  last edited by

                  I havent updated since we are still seeing a lot of trouble Bill. The latest I run is with your custom code

                  1 Reply Last reply Reply Quote 0
                  • bmeeksB
                    bmeeks
                    last edited by

                    @Supermule:

                    I havent updated since we are still seeing a lot of trouble Bill. The latest I run is with your custom code

                    Do you perhaps have one firewall you could test the latest code with?  I would be really interested in the results from a 2.0.2 box if you have any.

                    Bill

                    1 Reply Last reply Reply Quote 0
                    • S
                      Supermule Banned
                      last edited by

                      No worries. Will set one up during easter holidays when wife and kids are out shopping :D

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.