NAT connection logs

Hi all

In my implementation of bro I am observing traffic from two different zones in the one physical box

I have one physical powerful system that has two optical feeds from a passive tap that observes traffic from inside a firewall and outside the firewall. A lot of the connections are NAT leaving our gateway

My question is regarding logging , with a cluster configuration (or any bro configuration for that matter) if a connection is outbound to an ip of 1.2.3.4 does bro see the connection as two separate streams with two separate log entries to follow that stream? Or one stream and the NAT conversion is within the log? I’m assuming the former and it sees it as two separate connections

I’m just considering if it’s worth having that level of visibility as my logs folder is a combination of both interfaces obviously and don’t want to be potentially storing duplicate data :slight_smile: all data is then ingested into a SIEM so I can search both IP’s if I know what they are but if I can reduce it down to one search query and see the whole connection obviously that’s better :slight_smile:

Cheers
John

Hello John,

I have one physical powerful system that has two optical feeds from a
passive tap that observes traffic from inside a firewall and outside the
firewall. A lot of the connections are NAT leaving our gateway

My question is regarding logging , with a cluster configuration (or any bro
configuration for that matter) if a connection is outbound to an ip of
1.2.3.4 does bro see the connection as two separate streams with two
separate log entries to follow that stream? Or one stream and the NAT
conversion is within the log? I'm assuming the former and it sees it as
two separate connections

From your setup, I assume that you will see the traffic twice (once

with the internal IP and once with the IP of the NAT gateway).

In that case, the connections will be logged twice - Bro does not do any
kind of internal deduplication.

Johanna