Snort mailing list archives
Re: Problems with detecting source ip
From: Giles Coochey <giles () coochey net>
Date: Wed, 28 Nov 2012 13:16:29 +0000
On 28-11-2012 12:57, Dmitry Korzhevin wrote:
28.11.2012 12:52, Giles Coochey пишет:On 28-11-2012 10:04, Dmitry Korzhevin wrote:Hi, I have server, which i user for VPN (ipsec and pptp). I configured Snort+barnyard2+mysql+snorby web interface.You probably ought to disable PPTP...I can't disable pptp, as i have users, which use it.
And you may also have people who are breaking into it too http://lists.randombit.net/pipermail/cryptography/2012-April/002729.html DES these days is easily breakable in 30 minutes.
Problem, is when i login to snorby web interface, i see many alerts, but for all alerts Source IP - is server ip. I wish see internal client ip, not server ip.Sounds like you are collecting on your outside interface after NAT has taken place.So, seems this interface configuration error?
Yes, run it specifying the appropriate "-i <interface>" on the snort command line. Where interface is the pre-NAT interface facing your clients.
Try attaching snort to the other (the inside one, facing your clients) Interface on the server. ------------------------------------------------------------------------------ Keep yourself connected to Go Parallel: INSIGHTS What's next for parallel hardware, programming and related areas? Interviews and blogs by thought leaders keep you ahead of the curve. http://goparallel.sourceforge.net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!Best Regards, Dmitry --- Dmitry KORZHEVIN System Administrator STIDIA S.A. - Luxembourg e: dmitry.korzhevin () stidia com m: +38 093 874 5453 w: http://www.stidia.com ------------------------------------------------------------------------------ Keep yourself connected to Go Parallel: INSIGHTS What's next for parallel hardware, programming and related areas? Interviews and blogs by thought leaders keep you ahead of the curve. http://goparallel.sourceforge.net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Keep yourself connected to Go Parallel: INSIGHTS What's next for parallel hardware, programming and related areas? Interviews and blogs by thought leaders keep you ahead of the curve. http://goparallel.sourceforge.net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Problems with detecting source ip Dmitry Korzhevin (Nov 28)
- Re: Problems with detecting source ip Giles Coochey (Nov 28)
- Re: Problems with detecting source ip Dmitry Korzhevin (Nov 28)
- Re: Problems with detecting source ip Giles Coochey (Nov 28)
- Re: Problems with detecting source ip Peter Bates (Nov 28)
- Re: Problems with detecting source ip Dmitry Korzhevin (Nov 28)
- Re: Problems with detecting source ip Giles Coochey (Nov 28)