Hi
I just downloaded the new 1.8 and set up test system with a ASL box and a single windows client behind it. I plugged the ASL's eth0 and eth1 in to a hub, and plugged the client and the router in to the same hub. The setup worked for about 10 minutes, but suddenly new connections from the client couldn't be established through the firewall. Connections that already was connected through the firewall (filetransfers, ssh etc.) continued to work. I couldn’t even ping the ASL box.
I then did a bit of investigating in the log-file and found this message.
Mar 18 00:03:31 MostlyHarmless kernel: IP-SPOOFING Drop: IN=eth1 OUT= MAC=00:50[:D]a:63:8c:f1:00:50:bf:4f:e0:2d:08:00 SRC=192.168.1.2 DST=192.168.1.2 LEN=74 TOS=0x00 PREC=0x00 TTL=128 ID=42573 PROTO=UDP SPT=1089 DPT=53 LEN=54
eth1 is my external NIC with a real IP, so I guess the card had picked up a packaged that was meant for the eth0 card. The firewall then dropped the package with a IP-SPOOFING message, and from a security viewpoint, this is totally acceptable. I then changed the setup, so that the cable from the router went straight in to eth1 and only eth0 and the client was connected through the hub, and everything worked out great.
So here is my real question : Why doesn’t the IP-SPOOFING message show up in IDS logs.. I would think an IP-SPOOFING attack is just as serious as a portscan [:$])
Best regards
Henrik Pedersen
Denmark
This thread was automatically locked due to age.
Guest User!
You are not Sophos Staff.
