[unisog] sample NAT logs and analysis tools (OBSD- fp)
michael.holstein at csuohio.edu
Thu Apr 28 13:09:08 GMT 2005
> If you are running NAT how do you deal with the "we saw a portscan from
> IP x (where x is the external address of the firewall)" if it was not
> picked up by snort?
I assume that you'll be doing the NAT with a network device (router,
firewall, etc) versus a Linux box or whatnot .. if that's the case,
every router/firewall I've encountered (admittedly, this has been mostly
Cisco/Checkpoint/Netscreen) logs creation of a translation
eg: on the Cisco : "built xlate 123456 for inside 184.108.40.206 to outside
Using Syslog-NG and the REGEX rules, you could stick just that info into
MySQL and query it later.
Or you could just get a big disk and log everything in debug mode and go
the old fashioned route (eg: "grep 220.127.116.11 firewall.log").
Another obvious answer is to just put another snort sensor in FRONT of
the nat box. One can never have too many IDS systems ;)
Michael Holstein CISSP GCIA
Cleveland State University
More information about the unisog