[Oisf-users] How to show what ip address do the request inside an alert

C. L. Martinez carlopmart at gmail.com
Mon Aug 26 10:22:04 UTC 2013

Hi all,

 I have one suricata sensor monitoring proxy traffic that comes and go
to it ... All works ok (until now), but I would like to see what ip
address do certain request inside the alert. For example:

08/26/2013-10:18:01.195424  [**] [1:2520396:1580] ET TOR Known Tor
Exit Node Traffic (199) [**] [Classification: Misc Attack] [Priority:
2] {TCP} -> is my internal proxy, but the request comes from an internal
workstation. How can I add workstation IP to this alert??

 Is it possible to do it??

More information about the Oisf-users mailing list