If I'm MASQing my internal and DMZ networks to my external interface, and have the Snort interface set to external, will it report outgoing violations with the MASQed address or the actual internal address that originated the violation?
i am not quite sure what you mean by setting the snort interface?
The snort engine is integrated after the FORWARD chain but in front of the second routing decision and the PREROUTING chain. Therfor the the snort engine sees the same packets as the FORWARD chain.
you need to configure the local networks, so that the ids knows if this is incoming our outgoing connection.
I guess what I'm asking is... If I designate my external interface address as the local address, will Snort alert on an HTTP attack if the Advanced Settings menu has the HTTP servers set to the internal address of my HTTP server? Also, if bad traffic originates on my HTTP server, will Snort report the internal HTTP server address as the originating IP? Also, have you noticed that the HTTP proxy has problems if the IDS/IPS is turned on?
I assume your webserver is in your local LAN and you use a DNAT rule do make him accessable from the internet, right?
In order to protect such a scenario, you only have to add the local LAN to the protected networks, not the external interface, and select you HTTP server und the IPS Advansed section.
Snort will report an incoming request (public sender address and private destination) amd am outgoing (private sender and public destinaton), just like the packetfilter sees the packets.
