[Oisf-users] How to show what ip address do the request inside an alert

Peter Manev petermanev at gmail.com
Mon Aug 26 12:16:12 UTC 2013

On Mon, Aug 26, 2013 at 1:22 PM, C. L. Martinez <carlopmart at gmail.com> wrote:
> Hi all,
>  I have one suricata sensor monitoring proxy traffic that comes and go
> to it ... All works ok (until now), but I would like to see what ip
> address do certain request inside the alert. For example:
> 08/26/2013-10:18:01.195424  [**] [1:2520396:1580] ET TOR Known Tor
> Exit Node Traffic (199) [**] [Classification: Misc Attack] [Priority:
> 2] {TCP} ->
> is my internal proxy, but the request comes from an internal
> workstation. How can I add workstation IP to this alert??

I think it is best to put the ids box behind the proxy. That way you
would see the internal IPs as well.

>  Is it possible to do it??
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/

Peter Manev

More information about the Oisf-users mailing list