[Oisf-users] How to show what ip address do the request inside an alert
Cooper F. Nelson
cnelson at ucsd.edu
Mon Aug 26 15:41:54 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
That won't work for IP-only rules, as they will only trigger on the
outside of the proxy.
If you are using a web proxy, you can add the "X-Forwarded-For" header
to show the origin IP. You can then use unified2 alerts and write a
perl/python script to extract the source IP and produce a new log. Or
if you are using a front-end like Snorby you could just check the logged
payload.
If you don't want to leak the origin IP you could probably write a
post-processor that would merge the suricata logs with proxy logs. But
suricata does not have this feature built-in.
- -Coop
P.S. Would be nice if libhtp had the feature to "follow X-Forwared-For"
to allow logging of origin IPs.
On 8/26/2013 5:16 AM, Peter Manev wrote:
> On Mon, Aug 26, 2013 at 1:22 PM, C. L. Martinez <carlopmart at gmail.com> wrote:
>> Hi all,
>>
>> I have one suricata sensor monitoring proxy traffic that comes and go
>> to it ... All works ok (until now), but I would like to see what ip
>> address do certain request inside the alert. For example:
>>
>> 08/26/2013-10:18:01.195424 [**] [1:2520396:1580] ET TOR Known Tor
>> Exit Node Traffic (199) [**] [Classification: Misc Attack] [Priority:
>> 2] {TCP} 5.9.88.18:8080 -> 10.0.0.15:62452
>>
>> 10.0.0.15 is my internal proxy, but the request comes from an internal
>> workstation. How can I add workstation IP to this alert??
>
> I think it is best to put the ids box behind the proxy. That way you
> would see the internal IPs as well.
>
>>
>> Is it possible to do it??
>> _______________________________________________
- --
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQEcBAEBAgAGBQJSG3dCAAoJEKIFRYQsa8FW638H/jHg1n5NWMErgUE/SlDyX5lm
i/Wmj/jTFoU9FgdOvVYzrRwC8bZ6v49BYdz2jAQ0meLr0pmVnLUlw6GeK08kcg0k
Ub5nls0nbP4fM2yrhLmkkbvUVv6R3AtUVMs+jp4G2goIb/cc4dwax6dPIc1lmMz5
6oP2slgVtmRuterODIXabOpkMgxvJ05sfDKP+wCNnxjSCN0TUuf6bkPo0PdJFkgt
/iVx37nnv8RXLW44lAQlx6eWw2LnzJ6IWOq58fIn3hNQODLL1wA4xuEWT/DBwSz7
vGaEgdtIsYXoBbAN8pmNP9rpRfCc5Hr7ZuqQh2ZtBYtVrrSrSbqDS1vPJN9M8Ds=
=g+Uz
-----END PGP SIGNATURE-----
More information about the Oisf-users
mailing list