Getting internal IP in snort logs?
I'm using a single snort instance on the WAN, and of course it only shows the WAN IP in the alert logs. Is there a good way to display the internal IP (NAT) in the logs? It would help tremendously in discovering undetected viruses on the network.
Should I put another snort instance on the LAN? I suppose I'd need to divide the rules up to which ones are applicable on the WAN, and which are applicable to the LAN.
You must also run snort on the LAN side to see the LAN IP in the alerts - of course you will get duplicate alerts in that case, but it's the only way to check both incoming and outgoing traffic.
OK. I setup a second instance in logging-only mode with just the rules that would be relevant to the workstations I'm concerned with (virus, malware, phishing, etc). After I get a better idea of what rules are relevant to the LAN, and which are relevant to the WAN, I'll divide the rulesets between the two sensors and have both operate in blocking mode. I think this would be the most efficient use of resources.