Snort Local IP Triggering Wan Rule



  • Hello, I have a local IP that is constantly triggering some rules on Snort on my network. The server IP's are blocked by snort, but I keep getting hits and alerts. The problem is that on the log only the WAN IP appears. Is there any way to detect who is constantly accessing the IP's? I could make a block rule and log that rule, but is there any other way? A log or something?

    Thank You
    Best Regards



  • @soloam:

    Hello, I have a local IP that is constantly triggering some rules on Snort on my network. The server IP's are blocked by snort, but I keep getting hits and alerts. The problem is that on the log only the WAN IP appears. Is there any way to detect who is constantly accessing the IP's? I could make a block rule and log that rule, but is there any other way? A log or something?

    Thank You
    Best Regards

    Your problem of identifying the local IP that is generating Snort alerts is exactly why I recommend that folks using NAT put Snort on the LAN interface instead of just the WAN.  If you run Snort on the LAN, then all the local (LAN) IP addresses will show up with their pre-NAT values and thus be easier to identify.  When you run Snort on the WAN, then it sees traffic after the NAT rules have been applied, and thus LAN IP addresses all show up as the WAN IP.

    Bill



  • Done :) it solved my problem.

    Thank You
    Best Regards