[Snort-users] Using Snort to monitor traffic before NAT overl oad translation

Rose, Jerry L SAJ Jerry.L.Rose at ...3923...
Fri Oct 26 11:42:09 EDT 2001

How about egress filtering on your firewall?

-----Original Message-----
From: Joshua Wright [mailto:Joshua.Wright at ...2031...]
Sent: Friday, October 26, 2001 1:47 PM
To: Snort-users at lists.sourceforge.net
Subject: [Snort-users] Using Snort to monitor traffic before NAT
overload translation

A little background:

Many of our student residence facilities are using NAT overload for outbound
Internet 1 and Internet 2 connectivity on a single IP address.  This is
working well for us, and prevents a lot of "undesired" functionality (e.g.
students hosting websites, FTP sites, etc).

The problem I am running into is tracking down people who are "hacking"
other sites.  If I receive a incident report from someone, they only IP
address they know about is the NAT overload address.  I don't presently have
a way to track down the individual who committed the reported acts.

I am considering using Snort to monitor internal traffic (e.g. EXTERNAL_NET
any) so if someone sends me a incident report, I can correlate it to a Snort
generated alert.

Are other people running into the same problem when using NAT overload?  Any
recommendations on using Snort in this fashion or a better solution?

As always, thanks.

-Joshua Wright, GCIH
Team Leader, Networks and Systems
Johnson & Wales University
Joshua.Wright at ...2031... 

pgpkey: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xD44B4A73
fingerprint: FDA5 12FC F391 3740 E0AE BDB6 8FE2 FC0A D44B 4A73

Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20011026/be83d181/attachment.html>

More information about the Snort-users mailing list