Snort rules
 

Sorry if this isn't the right forum, but it seems the closest to me. I did read the sticky :)

I have a Snort server which monitors two taps, collected via an aggregator.
Some rules are only firing for the external interface. This is problematic since they tend to be policy violations, and I don't have a way to determine the internal IP for the violator.

Any suggestions?

Thanks,
Tim

You may be experiencing a placement issue, provided you've established your tap correctly.

Typically, what I do is run two snort instances, tapping both external and internal traffic (one snort process each). This will give me both the external-facing traffic and internal-facing traffic, which I can usually correlate. I do this at home, since I've maximum control, but your mileage may vary with a corporate set-up. Sensor placement in the enterprise can sometimes be difficult.