[unisog] sample NAT logs and analysis tools (OBSD- fp)

Harry Hoffman hhoffman at ip-solutions.net
Thu Apr 28 02:02:49 GMT 2005


Hi Russell,

We don't :-(   Currently we would correlate reported IP address with 
DHCP logs, arpwatch entries, and any potential snort/firewall logs.

The NAT'd networks we are currently using are fairly restrictive though.

We've been kicking around the idea of pitching to mgmt two separate dorm 
networks. One that is NAT'd and fairly locked down and another which 
uses externally routable IP space where kids could run whatever they like.

The difference would be consequences... so, caught for nasty things 
would get you thrown back into the NAT'd network

Cheers,
Harry


Russell Fulton wrote:
> 
> If you are running NAT how do you deal with the "we saw a portscan from
> IP x (where x is the external address of the firewall)" if it was not
> picked up by snort?
> 


More information about the unisog mailing list