Any way to get pre-NAT IP address?

BASE-user
matt_hell
2008-11-07
2013-06-03
  • matt_hell
    matt_hell
    2008-11-07

    I have Snort running on a firewall with 3 interfaces(Internet,DMZ,Internal).  Snort is monitoring the Internet facing interface.  I'm using Base 1.4.1 with schema 107. Is there any way to configure Base to show the pre-NAT IP address so that I can identify the internal client?  I don't want to run multiple instances of Snort or change which interface it's currently monitoring.

    I was hoping I could enable iptables logging in the POSTROUTING nat rule(s) and have that fed into Base so it could "tie" the PRE and POST NAT source IP addresses together.  Of course, Base would have to support such a thing.

     
    • mikesnort
      mikesnort
      2009-01-28

      If snort hears the traffic after it's been NATted it's not going to know the non-NATted source address.  Just run tcpdump or wireshark on the outside examine the contents of any of the packets.  The original private IP will not be in there.  Note the section 3.3 Header Manipulations in rfc1631.

      http://www.faqs.org/rfcs/rfc1631.html

      http://www.faqs.org/rfcs/rfc1918.html

       
      • matt_hell
        matt_hell
        2009-01-28

        Thanks for the response Mike.  I'm aware that the NAT'ed packets won't have the original source, which is why I referred to the iptables/netfilter. You're not going to get this information from Snort. The SIM I use at work collects firewall logs, including translations, and correlates this information with events/alarms.  I was hoping maybe BASE had that capability.