How do I show user/private IP not single, public IP



  • pfS: 2.2.3-RELEASE (amd64)
    Suricata: 2.1.5
    Squid3: 0.2.8
    Squidguard: 1.9.14

    When I'm looking at the alerts in Suricata I see either in the src or dst column that my public IP is one or the other.  Is it possible to show the private, LAN address of the src or dst so it's easier to see which PC on the LAN is either generating the alert or is a recipient of the alerted traffic?

    thx.


  • Banned

    By running Suricata on LAN.


  • Banned

    I run a light Snort configuration on WAN to get the most obvious culprits like portscans asf.

    I run Snort on LAN as well to see who is harbouring the bad ass traffic :D



  • Am I supposed to run on LAN and WAN simultaneously?  Is it standard to run on WAN but because I made the request to see the LAN IPs I am going with a non-standard config now?

    thx for your help.


  • Banned

    If you want to see internal LAN IPs before NAT, you need to run on LAN as well.