[Oisf-users] How to show what ip address do the request inside an alert

Cooper F. Nelson cnelson at ucsd.edu
Mon Aug 26 15:41:54 UTC 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

That won't work for IP-only rules, as they will only trigger on the
outside of the proxy.

If you are using a web proxy, you can add the "X-Forwarded-For" header
to show the origin IP.  You can then use unified2 alerts and write a
perl/python script to extract the source IP and produce a new log.  Or
if you are using a front-end like Snorby you could just check the logged
payload.

If you don't want to leak the origin IP you could probably write a
post-processor that would merge the suricata logs with proxy logs.  But
suricata does not have this feature built-in.

- -Coop

P.S.  Would be nice if libhtp had the feature to "follow X-Forwared-For"
to allow logging of origin IPs.

On 8/26/2013 5:16 AM, Peter Manev wrote:
> On Mon, Aug 26, 2013 at 1:22 PM, C. L. Martinez <carlopmart at gmail.com> wrote:
>> Hi all,
>>
>>  I have one suricata sensor monitoring proxy traffic that comes and go
>> to it ... All works ok (until now), but I would like to see what ip
>> address do certain request inside the alert. For example:
>>
>> 08/26/2013-10:18:01.195424  [**] [1:2520396:1580] ET TOR Known Tor
>> Exit Node Traffic (199) [**] [Classification: Misc Attack] [Priority:
>> 2] {TCP} 5.9.88.18:8080 -> 10.0.0.15:62452
>>
>> 10.0.0.15 is my internal proxy, but the request comes from an internal
>> workstation. How can I add workstation IP to this alert??
> 
> I think it is best to put the ids box behind the proxy. That way you
> would see the internal IPs as well.
> 
>>
>>  Is it possible to do it??
>> _______________________________________________
- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJSG3dCAAoJEKIFRYQsa8FW638H/jHg1n5NWMErgUE/SlDyX5lm
i/Wmj/jTFoU9FgdOvVYzrRwC8bZ6v49BYdz2jAQ0meLr0pmVnLUlw6GeK08kcg0k
Ub5nls0nbP4fM2yrhLmkkbvUVv6R3AtUVMs+jp4G2goIb/cc4dwax6dPIc1lmMz5
6oP2slgVtmRuterODIXabOpkMgxvJ05sfDKP+wCNnxjSCN0TUuf6bkPo0PdJFkgt
/iVx37nnv8RXLW44lAQlx6eWw2LnzJ6IWOq58fIn3hNQODLL1wA4xuEWT/DBwSz7
vGaEgdtIsYXoBbAN8pmNP9rpRfCc5Hr7ZuqQh2ZtBYtVrrSrSbqDS1vPJN9M8Ds=
=g+Uz
-----END PGP SIGNATURE-----

More information about the Oisf-users mailing list