[Snort-users] Using Snort to monitor traffic before NAT overl oad translation
Rose, Jerry L SAJ
Jerry.L.Rose at ...3923...
Fri Oct 26 11:42:09 EDT 2001
How about egress filtering on your firewall?
From: Joshua Wright [mailto:Joshua.Wright at ...2031...]
Sent: Friday, October 26, 2001 1:47 PM
To: Snort-users at lists.sourceforge.net
Subject: [Snort-users] Using Snort to monitor traffic before NAT
A little background:
Many of our student residence facilities are using NAT overload for outbound
Internet 1 and Internet 2 connectivity on a single IP address. This is
working well for us, and prevents a lot of "undesired" functionality (e.g.
students hosting websites, FTP sites, etc).
The problem I am running into is tracking down people who are "hacking"
other sites. If I receive a incident report from someone, they only IP
address they know about is the NAT overload address. I don't presently have
a way to track down the individual who committed the reported acts.
I am considering using Snort to monitor internal traffic (e.g. EXTERNAL_NET
any) so if someone sends me a incident report, I can correlate it to a Snort
Are other people running into the same problem when using NAT overload? Any
recommendations on using Snort in this fashion or a better solution?
As always, thanks.
-Joshua Wright, GCIH
Team Leader, Networks and Systems
Johnson & Wales University
Joshua.Wright at ...2031...
fingerprint: FDA5 12FC F391 3740 E0AE BDB6 8FE2 FC0A D44B 4A73
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users