Using Snort to monitor traffic before NAT overload translation

[Joshua Wright <Joshua.Wright () jwu edu>]

A little background:

Many of our student residence facilities are using NAT overload for outbound
Internet 1 and Internet 2 connectivity on a single IP address.  This is
working well for us, and prevents a lot of "undesired" functionality (e.g.
students hosting websites, FTP sites, etc).

The problem I am running into is tracking down people who are "hacking"
other sites.  If I receive a incident report from someone, they only IP
address they know about is the NAT overload address.  I don't presently have
a way to track down the individual who committed the reported acts.

I am considering using Snort to monitor internal traffic (e.g. EXTERNAL_NET
any) so if someone sends me a incident report, I can correlate it to a Snort
generated alert.

Are other people running into the same problem when using NAT overload?  Any
recommendations on using Snort in this fashion or a better solution?

As always, thanks.

-Joshua Wright, GCIH
Team Leader, Networks and Systems
Johnson & Wales University
Joshua.Wright () jwu edu 

pgpkey: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xD44B4A73
fingerprint: FDA5 12FC F391 3740 E0AE BDB6 8FE2 FC0A D44B 4A73



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users