[Oisf-users] How to show what ip address do the request inside an alert
Peter Manev
petermanev at gmail.com
Mon Aug 26 12:16:12 UTC 2013
On Mon, Aug 26, 2013 at 1:22 PM, C. L. Martinez <carlopmart at gmail.com> wrote:
> Hi all,
>
> I have one suricata sensor monitoring proxy traffic that comes and go
> to it ... All works ok (until now), but I would like to see what ip
> address do certain request inside the alert. For example:
>
> 08/26/2013-10:18:01.195424 [**] [1:2520396:1580] ET TOR Known Tor
> Exit Node Traffic (199) [**] [Classification: Misc Attack] [Priority:
> 2] {TCP} 5.9.88.18:8080 -> 10.0.0.15:62452
>
> 10.0.0.15 is my internal proxy, but the request comes from an internal
> workstation. How can I add workstation IP to this alert??
I think it is best to put the ids box behind the proxy. That way you
would see the internal IPs as well.
>
> Is it possible to do it??
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
--
Regards,
Peter Manev
More information about the Oisf-users
mailing list