Sorry if this isn't the right forum, but it seems the closest to me. I did read the sticky
I have a Snort server which monitors two taps, collected via an aggregator.
Some rules are only firing for the external interface. This is problematic since they tend to be policy violations, and I don't have a way to determine the internal IP for the violator.
Any suggestions?
Thanks,
Tim