We have bro configured to span a firewall, so we are watching the outside traffic, both inbound and outbound, as well as the internal interface both in and out. We're doing this as a sanity check to verify that, when attacks occur, if they penetrate and are successful.
One thing that I'm seeing is that, for example, we can successful triggers like IRC nickname changes, occur with the server & outside IP address, but we don't see an equivalent trigger on the internal interface.
Consider the following alarm:
t=1177511147.420130 no=SensitiveSignature na=NOTICE_ALARM_ALWAYS sa=A.B.C.D sp=1145/tcp da=E.F.G.H dp=6667/tcp file=s2b-542-10 msg=A.B.C.D:\ CHAT\ IRC\ nick\ change sub=NICK\ Homerpf|CHAMP^J tag=@29
where A.B.C.D is one of the outside IP's associated with either the NAT or PAT range on our firewall. Should I also not see an equivalent trigger like:
t=1177511147.420130 no=SensitiveSignature na=NOTICE_ALARM_ALWAYS sa=192.168.x.x sp=1145/tcp da=E.F.G.H dp=6667/tcp file=s2b-542-10 msg=192.168.x.x:\ CHAT\ IRC\ nick\ change sub=NICK\ Homerpf|CHAMP^J tag=@29
Where the source is the IP of the internal machine? If not, is there any way we can configure bro to show those internal entries, since it will help us find machines that are acting in a naughty manner.