[Bro] Alerting question on multi-homed bro box

[Eric Wages]

We have bro configured to span a firewall, so we are watching the  
outside traffic, both inbound and outbound, as well as the internal  
interface both in and out. We're doing this as a sanity check to  
verify that, when attacks occur, if they penetrate and are successful.

One thing that I'm seeing is that, for example, we can successful  
triggers like IRC nickname changes, occur with the server & outside  
IP address, but we don't see an equivalent trigger on the internal  
interface.

Consider the following alarm:

t=1177511147.420130 no=SensitiveSignature na=NOTICE_ALARM_ALWAYS  
sa=A.B.C.D sp=1145/tcp da=E.F.G.H dp=6667/tcp file=s2b-542-10  
msg=A.B.C.D:\ CHAT\ IRC\ nick\ change sub=NICK\ Homerpf|CHAMP^J tag=@29

where A.B.C.D is one of the outside IP's associated with either the  
NAT or PAT range on our firewall. Should I also not see an equivalent  
trigger like:

t=1177511147.420130 no=SensitiveSignature na=NOTICE_ALARM_ALWAYS  
sa=192.168.x.x sp=1145/tcp da=E.F.G.H dp=6667/tcp file=s2b-542-10  
msg=192.168.x.x:\ CHAT\ IRC\ nick\ change sub=NICK\ Homerpf|CHAMP^J  
tag=@29

Where the source is the IP of the internal machine? If not, is there  
any way we can configure bro to show those internal entries, since it  
will help us find machines that are acting in a naughty manner.

Thanks,

-Eric

Eric Wages