[Snort-users] Using Snort to monitor traffic before NAT overload translation

Joshua Wright Joshua.Wright at ...2031...
Fri Oct 26 10:48:08 EDT 2001

A little background:

Many of our student residence facilities are using NAT overload for outbound
Internet 1 and Internet 2 connectivity on a single IP address.  This is
working well for us, and prevents a lot of "undesired" functionality (e.g.
students hosting websites, FTP sites, etc).

The problem I am running into is tracking down people who are "hacking"
other sites.  If I receive a incident report from someone, they only IP
address they know about is the NAT overload address.  I don't presently have
a way to track down the individual who committed the reported acts.

I am considering using Snort to monitor internal traffic (e.g. EXTERNAL_NET
any) so if someone sends me a incident report, I can correlate it to a Snort
generated alert.

Are other people running into the same problem when using NAT overload?  Any
recommendations on using Snort in this fashion or a better solution?

As always, thanks.

-Joshua Wright, GCIH
Team Leader, Networks and Systems
Johnson & Wales University
Joshua.Wright at ...2031... 

pgpkey: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xD44B4A73
fingerprint: FDA5 12FC F391 3740 E0AE BDB6 8FE2 FC0A D44B 4A73

More information about the Snort-users mailing list