[Bro] NAT connection logs
Johanna Amann
johanna at icir.org
Fri Oct 14 07:09:35 PDT 2016
Hello John,
> I have one physical powerful system that has two optical feeds from a
> passive tap that observes traffic from inside a firewall and outside the
> firewall. A lot of the connections are NAT leaving our gateway
>
> My question is regarding logging , with a cluster configuration (or any bro
> configuration for that matter) if a connection is outbound to an ip of
> 1.2.3.4 does bro see the connection as two separate streams with two
> separate log entries to follow that stream? Or one stream and the NAT
> conversion is within the log? I'm assuming the former and it sees it as
> two separate connections
>From your setup, I assume that you will see the traffic twice (once
with the internal IP and once with the IP of the NAT gateway).
In that case, the connections will be logged twice - Bro does not do any
kind of internal deduplication.
Johanna
More information about the Bro
mailing list