[unisog] sample NAT logs and analysis tools (OBSD- fp)

Michael Holstein michael.holstein at csuohio.edu
Thu Apr 28 13:09:08 GMT 2005


> If you are running NAT how do you deal with the "we saw a portscan from
> IP x (where x is the external address of the firewall)" if it was not
> picked up by snort?

I assume that you'll be doing the NAT with a network device (router, 
firewall, etc) versus a Linux box or whatnot .. if that's the case, 
every router/firewall I've encountered (admittedly, this has been mostly 
Cisco/Checkpoint/Netscreen) logs creation of a translation

eg: on the Cisco : "built xlate 123456 for inside 1.2.3.4 to outside 
5.6.7.8"

Using Syslog-NG and the REGEX rules, you could stick just that info into 
MySQL and query it later.

Or you could just get a big disk and log everything in debug mode and go 
the old fashioned route (eg: "grep 1.2.3.4 firewall.log").

Another obvious answer is to just put another snort sensor in FRONT of 
the nat box. One can never have too many IDS systems ;)

Cheers,

Michael Holstein CISSP GCIA
Cleveland State University


More information about the unisog mailing list