Snort rules
Sorry if this isn't the right forum, but it seems the closest to me. I did read the sticky :)
I have a Snort server which monitors two taps, collected via an aggregator. Some rules are only firing for the external interface. This is problematic since they tend to be policy violations, and I don't have a way to determine the internal IP for the violator. Any suggestions? Thanks, Tim |
You may be experiencing a placement issue, provided you've established your tap correctly.
Typically, what I do is run two snort instances, tapping both external and internal traffic (one snort process each). This will give me both the external-facing traffic and internal-facing traffic, which I can usually correlate. I do this at home, since I've maximum control, but your mileage may vary with a corporate set-up. Sensor placement in the enterprise can sometimes be difficult. |
All times are GMT -5. The time now is 03:09 AM. |