[Oisf-users] How to show what ip address do the request inside an alert

Cooper F. Nelson cnelson at ucsd.edu
Mon Aug 26 15:41:54 UTC 2013

Hash: SHA1

That won't work for IP-only rules, as they will only trigger on the
outside of the proxy.

If you are using a web proxy, you can add the "X-Forwarded-For" header
to show the origin IP.  You can then use unified2 alerts and write a
perl/python script to extract the source IP and produce a new log.  Or
if you are using a front-end like Snorby you could just check the logged

If you don't want to leak the origin IP you could probably write a
post-processor that would merge the suricata logs with proxy logs.  But
suricata does not have this feature built-in.

- -Coop

P.S.  Would be nice if libhtp had the feature to "follow X-Forwared-For"
to allow logging of origin IPs.

On 8/26/2013 5:16 AM, Peter Manev wrote:
> On Mon, Aug 26, 2013 at 1:22 PM, C. L. Martinez <carlopmart at gmail.com> wrote:
>> Hi all,
>>  I have one suricata sensor monitoring proxy traffic that comes and go
>> to it ... All works ok (until now), but I would like to see what ip
>> address do certain request inside the alert. For example:
>> 08/26/2013-10:18:01.195424  [**] [1:2520396:1580] ET TOR Known Tor
>> Exit Node Traffic (199) [**] [Classification: Misc Attack] [Priority:
>> 2] {TCP} ->
>> is my internal proxy, but the request comes from an internal
>> workstation. How can I add workstation IP to this alert??
> I think it is best to put the ids box behind the proxy. That way you
> would see the internal IPs as well.
>>  Is it possible to do it??
>> _______________________________________________
- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/


More information about the Oisf-users mailing list