How do you trace NAT'd hosts that set off snort alarms? I have snort running in my DMZ.
Say you have an internal user that fires off a port scan to an external host. Snort picks it up but shows the NAT'd IP. How could you trace it?
I'm guessing you could add an additional IDS for the internal LAN?