Which device caused the SNORT alert?

IDS/IPS
Log in to reply
  • F

    I am just experimenting\learning and having fun with SNORT. I am starting with a connection based policy without blocking. I have googled and found articles similar in topic but don't address my question. I want to see what device I am working with. When I see alert X, how do I see which device on my network was the source or target for a connection? Do I have to do a packet capture or is there another way?

    0
  • bmeeks

    Uh...you just look at the two IP addresses recorded in the alert. Those will be the Source and Destination IP and port.

    I recommend users put an IDS/IPS on their LAN only. If you put it on the WAN, then all the addresses for any local hosts (those on your LAN, for example), will be hidden as their IP address will be overwritten by NAT (meaning the address you see in the WAN alerts will be only the WAN public IP).

    Since you are asking your question, it sounds like you put the IDS/IPS on the WAN. Wrong place. Move it to the LAN.

    F 1 Reply 0
  • F

    @bmeeks thank you! I’m embarrassed. That’s hilarious. I really appreciate it!

    0

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy