home_net as source?

[Michael Wisniewski <wiz561 () gmail com>]

I have a question about some of the results I'm seeing.  The majority of
results are having the traffic go as expected with external/outside IP's
alerting on my home_net address.  Some alerts have my home_net as the
source and outside IP's as the destination.  This is most prevalent in port
scanning.

I'm about 99% positive that I'm not starting the portscan from inside...but
for some reason, snort thinks I am.

I'm just wondering what the cause of this is.  To me, it seems kind of
backwards, but I know that depending on where the sensor is, it might make
a difference.  My setup is that I mirrored the port the cable modem is
plugged into and then that goes into the firewall...  So...

Cable Modem -> Switch Port 1
Firewall/Router -> Port 2
Snort sensor -> Port 5

Mirrored port 1.

Any help is appreciated.

Thanks!

------------------------------------------------------------------------------
Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce.
With Perforce, you get hassle-free workflows. Merge that actually works. 
Faster operations. Version large binaries.  Built-in WAN optimization and the
freedom to use Git, Perforce or both. Make the move to Perforce.
http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!