I have Snort running on a firewall with 3 interfaces(Internet,DMZ,Internal). Snort is monitoring the Internet facing interface. I'm using Base 1.4.1 with schema 107. Is there any way to configure Base to show the pre-NAT IP address so that I can identify the internal client? I don't want to run multiple instances of Snort or change which interface it's currently monitoring.
I was hoping I could enable iptables logging in the POSTROUTING nat rule(s) and have that fed into Base so it could "tie" the PRE and POST NAT source IP addresses together. Of course, Base would have to support such a thing.
If snort hears the traffic after it's been NATted it's not going to know the non-NATted source address. Just run tcpdump or wireshark on the outside examine the contents of any of the packets. The original private IP will not be in there. Note the section 3.3 Header Manipulations in rfc1631.
Thanks for the response Mike. I'm aware that the NAT'ed packets won't have the original source, which is why I referred to the iptables/netfilter. You're not going to get this information from Snort. The SIM I use at work collects firewall logs, including translations, and correlates this information with events/alarms. I was hoping maybe BASE had that capability.