[Oisf-users] How to show what ip address do the request inside an alert
C. L. Martinez
carlopmart at gmail.com
Mon Aug 26 10:22:04 UTC 2013
Hi all,
I have one suricata sensor monitoring proxy traffic that comes and go
to it ... All works ok (until now), but I would like to see what ip
address do certain request inside the alert. For example:
08/26/2013-10:18:01.195424 [**] [1:2520396:1580] ET TOR Known Tor
Exit Node Traffic (199) [**] [Classification: Misc Attack] [Priority:
2] {TCP} 5.9.88.18:8080 -> 10.0.0.15:62452
10.0.0.15 is my internal proxy, but the request comes from an internal
workstation. How can I add workstation IP to this alert??
Is it possible to do it??
More information about the Oisf-users
mailing list