[unisog] sample NAT logs and analysis tools (OBSD- fp)
hhoffman at ip-solutions.net
Thu Apr 28 02:02:49 GMT 2005
We don't :-( Currently we would correlate reported IP address with
DHCP logs, arpwatch entries, and any potential snort/firewall logs.
The NAT'd networks we are currently using are fairly restrictive though.
We've been kicking around the idea of pitching to mgmt two separate dorm
networks. One that is NAT'd and fairly locked down and another which
uses externally routable IP space where kids could run whatever they like.
The difference would be consequences... so, caught for nasty things
would get you thrown back into the NAT'd network
Russell Fulton wrote:
> If you are running NAT how do you deal with the "we saw a portscan from
> IP x (where x is the external address of the firewall)" if it was not
> picked up by snort?
More information about the unisog