Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Which device caused the SNORT alert?

    Scheduled Pinned Locked Moved IDS/IPS
    3 Posts 2 Posters 342 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      forestaccounted
      last edited by

      I am just experimenting\learning and having fun with SNORT. I am starting with a connection based policy without blocking. I have googled and found articles similar in topic but don't address my question. I want to see what device I am working with. When I see alert X, how do I see which device on my network was the source or target for a connection? Do I have to do a packet capture or is there another way?

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by bmeeks

        Uh...you just look at the two IP addresses recorded in the alert. Those will be the Source and Destination IP and port.

        I recommend users put an IDS/IPS on their LAN only. If you put it on the WAN, then all the addresses for any local hosts (those on your LAN, for example), will be hidden as their IP address will be overwritten by NAT (meaning the address you see in the WAN alerts will be only the WAN public IP).

        Since you are asking your question, it sounds like you put the IDS/IPS on the WAN. Wrong place. Move it to the LAN.

        F 1 Reply Last reply Reply Quote 0
        • F
          forestaccounted @bmeeks
          last edited by

          @bmeeks thank you! I’m embarrassed. That’s hilarious. I really appreciate it!

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.