Which device caused the SNORT alert?

  • I am just experimenting\learning and having fun with SNORT. I am starting with a connection based policy without blocking. I have googled and found articles similar in topic but don't address my question. I want to see what device I am working with. When I see alert X, how do I see which device on my network was the source or target for a connection? Do I have to do a packet capture or is there another way?

  • Uh...you just look at the two IP addresses recorded in the alert. Those will be the Source and Destination IP and port.

    I recommend users put an IDS/IPS on their LAN only. If you put it on the WAN, then all the addresses for any local hosts (those on your LAN, for example), will be hidden as their IP address will be overwritten by NAT (meaning the address you see in the WAN alerts will be only the WAN public IP).

    Since you are asking your question, it sounds like you put the IDS/IPS on the WAN. Wrong place. Move it to the LAN.

  • @bmeeks thank you! I’m embarrassed. That’s hilarious. I really appreciate it!