Snort mailing list archives
Using Snort to monitor traffic before NAT overload translation
From: Joshua Wright <Joshua.Wright () jwu edu>
Date: Fri, 26 Oct 2001 13:47:06 -0400
A little background: Many of our student residence facilities are using NAT overload for outbound Internet 1 and Internet 2 connectivity on a single IP address. This is working well for us, and prevents a lot of "undesired" functionality (e.g. students hosting websites, FTP sites, etc). The problem I am running into is tracking down people who are "hacking" other sites. If I receive a incident report from someone, they only IP address they know about is the NAT overload address. I don't presently have a way to track down the individual who committed the reported acts. I am considering using Snort to monitor internal traffic (e.g. EXTERNAL_NET any) so if someone sends me a incident report, I can correlate it to a Snort generated alert. Are other people running into the same problem when using NAT overload? Any recommendations on using Snort in this fashion or a better solution? As always, thanks. -Joshua Wright, GCIH Team Leader, Networks and Systems Johnson & Wales University Joshua.Wright () jwu edu pgpkey: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xD44B4A73 fingerprint: FDA5 12FC F391 3740 E0AE BDB6 8FE2 FC0A D44B 4A73 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Using Snort to monitor traffic before NAT overload translation Joshua Wright (Oct 26)