Re: Problems with detecting source ip

[Giles Coochey <giles () coochey net>]

On 28-11-2012 12:57, Dmitry Korzhevin wrote:
> 28.11.2012 12:52, Giles Coochey пишет:
> > On 28-11-2012 10:04, Dmitry Korzhevin wrote:
> > > Hi,
> > >
> > > I have server, which i user for VPN (ipsec and pptp). I configured
> > > Snort+barnyard2+mysql+snorby web interface.
> > You probably ought to disable PPTP...
>
> I can't disable pptp, as i have users, which use it.
And you may also have people who are breaking into it too

http://lists.randombit.net/pipermail/cryptography/2012-April/002729.html

DES these days is easily breakable in 30 minutes.


> > > Problem, is when i login to snorby web interface, i see many 
> > > alerts,
> > > but for all alerts Source IP - is server ip. I wish see internal
> > > client ip, not server ip.
> >
> > Sounds like you are collecting on your outside interface after NAT 
> > has
> > taken place.
>
> So, seems this interface configuration error?

Yes, run it specifying the appropriate "-i <interface>" on the snort 
command line.

Where interface is the pre-NAT interface facing your clients.

> > Try attaching snort to the other (the inside one, facing your 
> > clients)
> > Interface on the server.
> >
> >
> > ------------------------------------------------------------------------------
> > Keep yourself connected to Go Parallel:
> > INSIGHTS What's next for parallel hardware, programming and related 
> > areas?
> > Interviews and blogs by thought leaders keep you ahead of the curve.
> > http://goparallel.sourceforge.net
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest 
> > Snort news!
>
> Best Regards,
> Dmitry
>
> ---
> Dmitry KORZHEVIN
> System Administrator
> STIDIA S.A. - Luxembourg
>
> e: dmitry.korzhevin () stidia com
> m: +38 093 874 5453
> w: http://www.stidia.com
>
>
>
> ------------------------------------------------------------------------------
> Keep yourself connected to Go Parallel:
> INSIGHTS What's next for parallel hardware, programming and related 
> areas?
> Interviews and blogs by thought leaders keep you ahead of the curve.
> http://goparallel.sourceforge.net
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!

------------------------------------------------------------------------------
Keep yourself connected to Go Parallel: 
INSIGHTS What's next for parallel hardware, programming and related areas?
Interviews and blogs by thought leaders keep you ahead of the curve.
http://goparallel.sourceforge.net
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!