Snort mailing list archives
Re: Problems with detecting source ip
From: Dmitry Korzhevin <dmitry.korzhevin () stidia com>
Date: Wed, 28 Nov 2012 14:57:29 +0200
28.11.2012 12:52, Giles Coochey пишет:
On 28-11-2012 10:04, Dmitry Korzhevin wrote:Hi, I have server, which i user for VPN (ipsec and pptp). I configured Snort+barnyard2+mysql+snorby web interface.You probably ought to disable PPTP...
I can't disable pptp, as i have users, which use it.
Problem, is when i login to snorby web interface, i see many alerts, but for all alerts Source IP - is server ip. I wish see internal client ip, not server ip.Sounds like you are collecting on your outside interface after NAT has taken place.
So, seems this interface configuration error?
Try attaching snort to the other (the inside one, facing your clients) Interface on the server. ------------------------------------------------------------------------------ Keep yourself connected to Go Parallel: INSIGHTS What's next for parallel hardware, programming and related areas? Interviews and blogs by thought leaders keep you ahead of the curve. http://goparallel.sourceforge.net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Best Regards, Dmitry --- Dmitry KORZHEVIN System Administrator STIDIA S.A. - Luxembourg e: dmitry.korzhevin () stidia com m: +38 093 874 5453 w: http://www.stidia.com
Attachment:
smime.p7s
Description: Криптографическая подпись S/MIME
------------------------------------------------------------------------------ Keep yourself connected to Go Parallel: INSIGHTS What's next for parallel hardware, programming and related areas? Interviews and blogs by thought leaders keep you ahead of the curve. http://goparallel.sourceforge.net
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Problems with detecting source ip Dmitry Korzhevin (Nov 28)
- Re: Problems with detecting source ip Giles Coochey (Nov 28)
- Re: Problems with detecting source ip Dmitry Korzhevin (Nov 28)
- Re: Problems with detecting source ip Giles Coochey (Nov 28)
- Re: Problems with detecting source ip Peter Bates (Nov 28)
- Re: Problems with detecting source ip Dmitry Korzhevin (Nov 28)
- Re: Problems with detecting source ip Giles Coochey (Nov 28)