Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Getting internal IP in snort logs?

    Scheduled Pinned Locked Moved pfSense Packages
    3 Posts 2 Posters 2.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      JustinHoMi
      last edited by

      I'm using a single snort instance on the WAN, and of course it only shows the WAN IP in the alert logs. Is there a good way to display the internal IP (NAT) in the logs? It would help tremendously in discovering undetected viruses on the network.

      Should I put another snort instance on the LAN? I suppose I'd need to divide the rules up to which ones are applicable on the WAN, and which are applicable to the LAN.

      Justin

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        You must also run snort on the LAN side to see the LAN IP in the alerts - of course you will get duplicate alerts in that case, but it's the only way to check both incoming and outgoing traffic.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • J
          JustinHoMi
          last edited by

          OK. I setup a second instance in logging-only mode with just the rules that would be relevant to the workstations I'm concerned with (virus, malware, phishing, etc). After I get a better idea of what rules are relevant to the LAN, and which are relevant to the WAN, I'll divide the rulesets between the two sensors and have both operate in blocking mode. I think this would be the most efficient use of resources.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.