Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Getting internal IP in snort logs?

    pfSense Packages
    2
    3
    1733
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      JustinHoMi last edited by

      I'm using a single snort instance on the WAN, and of course it only shows the WAN IP in the alert logs. Is there a good way to display the internal IP (NAT) in the logs? It would help tremendously in discovering undetected viruses on the network.

      Should I put another snort instance on the LAN? I suppose I'd need to divide the rules up to which ones are applicable on the WAN, and which are applicable to the LAN.

      Justin

      1 Reply Last reply Reply Quote 0
      • jimp
        jimp Rebel Alliance Developer Netgate last edited by

        You must also run snort on the LAN side to see the LAN IP in the alerts - of course you will get duplicate alerts in that case, but it's the only way to check both incoming and outgoing traffic.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • J
          JustinHoMi last edited by

          OK. I setup a second instance in logging-only mode with just the rules that would be relevant to the workstations I'm concerned with (virus, malware, phishing, etc). After I get a better idea of what rules are relevant to the LAN, and which are relevant to the WAN, I'll divide the rulesets between the two sensors and have both operate in blocking mode. I think this would be the most efficient use of resources.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post

          Products

          • Platform Overview
          • TNSR
          • pfSense
          • Appliances

          Services

          • Training
          • Professional Services

          Support

          • Subscription Plans
          • Contact Support
          • Product Lifecycle
          • Documentation

          News

          • Media Coverage
          • Press
          • Events

          Resources

          • Blog
          • FAQ
          • Find a Partner
          • Resource Library
          • Security Information

          Company

          • About Us
          • Careers
          • Partners
          • Contact Us
          • Legal
          Our Mission

          We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

          Subscribe to our Newsletter

          Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

          © 2021 Rubicon Communications, LLC | Privacy Policy