[Oisf-users] Visualization of subnets behind NAT router

Christophe Vandeplas christophe at vandeplas.com
Tue Sep 29 17:59:12 UTC 2015


If your users use a proxy (that doesn't clean up the x-forwarded-for
header) you can check the EVE json alert for the x-forwarded-for header.

The only other option is to remove the NAT or to move the place where your
IDS lies. This is the case for any IDS or other network device that logs
traffic.
On Sep 29, 2015 13:48, "Jose Carlos Álvarez" <jcalvarezvg at gmail.com> wrote:

> Hi all,
>
> My question is if I have a setup like this, how can I do so Suricata show
> in the alerts the IPs of the connected clients instead of only the IP of
> NAT router? it is possible?
>
> My setup:
>
> ADSL Router > Suricata IPS (NFQUEUE or AF_PACKET) > NAT Router > Switch >
> Clients
>
> Thanks in advance,
>
> José Carlos
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona:
> http://oisfevents.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20150929/c8fb1078/attachment-0002.html>


More information about the Oisf-users mailing list