Problems with detecting source ip

[Dmitry Korzhevin <dmitry.korzhevin () stidia com>]

Hi,

I have server, which i user for VPN (ipsec and pptp). I configured 
Snort+barnyard2+mysql+snorby web interface.

Problem, is when i login to snorby web interface, i see many alerts, but 
for all alerts Source IP - is server ip. I wish see internal client ip, 
not server ip.

For example, when i run: tshark -i any -R "bittorrent":

# tshark -i any -R "bittorrent"
Capturing on Pseudo-device that captures on all interfaces
  0.186331     10.1.0.6 -> 83.183.20.85 BitTorrent Handshake
  0.186493 SERVER_IP -> 83.183.20.85 BitTorrent Handshake
  0.211505   10.2.0.227 -> 66.103.54.123 BitTorrent Handshake
  0.211542 SERVER_IP -> 66.103.54.123 BitTorrent Handshake
  0.234439     10.1.0.6 -> 61.91.88.16  BitTorrent Handshake
  0.234541 SERVER_IP -> 61.91.88.16  BitTorrent Handshake
  0.455423   10.2.0.227 -> 60.242.30.41 BitTorrent Handshake
  0.455481 SERVER_IP -> 60.242.30.41 BitTorrent Handshake
  0.514257     10.1.0.6 -> 60.240.60.47 BitTorrent Handshake
  0.514393 SERVER_IP -> 60.240.60.47 BitTorrent Handshake
  0.518330     10.1.0.6 -> 2.49.75.55   BitTorrent Handshake
  0.518585 SERVER_IP -> 2.49.75.55   BitTorrent Handshake
  0.666966   2.49.75.55 -> SERVER_IP BitTorrent Handshake  Continuation 
data
  0.667015   2.49.75.55 -> 10.1.0.6     BitTorrent Handshake 
Continuation data
  0.834378     10.1.0.6 -> 2.49.75.55   BitTorrent Continuation data
  0.834769 SERVER_IP -> 2.49.75.55   BitTorrent Continuation data
  0.979155   2.49.75.55 -> SERVER_IP BitTorrent Continuation data
  0.979236   2.49.75.55 -> 10.1.0.6     BitTorrent Continuation data
  1.226297     10.1.0.6 -> 2.49.75.55   BitTorrent Continuation data
  1.226396 SERVER_IP -> 2.49.75.55   BitTorrent Continuation data
  1.620905   10.2.0.227 -> 60.242.30.41 BitTorrent Handshake
  1.620970 SERVER_IP -> 60.242.30.41 BitTorrent Handshake
  4.574414     10.1.0.6 -> 84.94.43.44  BitTorrent Handshake
  4.574680 SERVER_IP -> 84.94.43.44  BitTorrent Handshake
  4.670606     10.1.0.6 -> 71.101.94.25 BitTorrent Handshake
  4.671105 SERVER_IP -> 71.101.94.25 BitTorrent Handshake
26 packets captured


I see both server ip and clients ip, i with see same in snorby, detected 
by snort.

My software version:

Debian 6.0.6

Snort Version 2.9.3.1 IPv6 GRE (Build 40)
By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
Copyright (C) 1998-2012 Sourcefire, Inc., et al.
Using libpcap version 1.3.0
Using PCRE version: 8.02 2010-03-19
Using ZLIB version: 1.2.3.4



/etc/snort/rules/local.rules:

http://paste.debian.net/212952/

/etc/snort/snort.conf:

http://paste.debian.net/212954/


Please, advice

Best Regards,
Dmitry

---
Dmitry KORZHEVIN
System Administrator
STIDIA S.A. - Luxembourg

e: dmitry.korzhevin () stidia com
m: +38 093 874 5453
w: http://www.stidia.com

Attachment: smime.p7s
Description: Криптографическая подпись S/MIME

------------------------------------------------------------------------------
Keep yourself connected to Go Parallel: 
INSIGHTS What's next for parallel hardware, programming and related areas?
Interviews and blogs by thought leaders keep you ahead of the curve.
http://goparallel.sourceforge.net

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!