[Oisf-users] How to show what ip address do the request inside an alert

Peter Manev petermanev at gmail.com
Mon Aug 26 17:56:00 UTC 2013



On 26 aug 2013, at 18:41, "Cooper F. Nelson" <cnelson at ucsd.edu> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> That won't work for IP-only rules, as they will only trigger on the
> outside of the proxy.
> 
> If you are using a web proxy, you can add the "X-Forwarded-For" header
> to show the origin IP.  You can then use unified2 alerts and write a
> perl/python script to extract the source IP and produce a new log.  Or
> if you are using a front-end like Snorby you could just check the logged
> payload.
> 
> If you don't want to leak the origin IP you could probably write a
> post-processor that would merge the suricata logs with proxy logs.  But
> suricata does not have this feature built-in.
> 
> - -Coop
> 
> P.S.  Would be nice if libhtp had the feature to "follow X-Forwared-For"
> to allow logging of origin IPs.

http.log has that custom logging feature(X-Forwarded...). Is this what you have in mind or you mean more like an "alert" log feature?


> 
> On 8/26/2013 5:16 AM, Peter Manev wrote:
>> On Mon, Aug 26, 2013 at 1:22 PM, C. L. Martinez <carlopmart at gmail.com> wrote:
>>> Hi all,
>>> 
>>> I have one suricata sensor monitoring proxy traffic that comes and go
>>> to it ... All works ok (until now), but I would like to see what ip
>>> address do certain request inside the alert. For example:
>>> 
>>> 08/26/2013-10:18:01.195424  [**] [1:2520396:1580] ET TOR Known Tor
>>> Exit Node Traffic (199) [**] [Classification: Misc Attack] [Priority:
>>> 2] {TCP} 5.9.88.18:8080 -> 10.0.0.15:62452
>>> 
>>> 10.0.0.15 is my internal proxy, but the request comes from an internal
>>> workstation. How can I add workstation IP to this alert??
>> 
>> I think it is best to put the ids box behind the proxy. That way you
>> would see the internal IPs as well.
>> 
>>> 
>>> Is it possible to do it??
>>> _______________________________________________
> - -- 
> Cooper Nelson
> Network Security Analyst
> UCSD ACT Security Team
> cnelson at ucsd.edu x41042
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (MingW32)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> 
> iQEcBAEBAgAGBQJSG3dCAAoJEKIFRYQsa8FW638H/jHg1n5NWMErgUE/SlDyX5lm
> i/Wmj/jTFoU9FgdOvVYzrRwC8bZ6v49BYdz2jAQ0meLr0pmVnLUlw6GeK08kcg0k
> Ub5nls0nbP4fM2yrhLmkkbvUVv6R3AtUVMs+jp4G2goIb/cc4dwax6dPIc1lmMz5
> 6oP2slgVtmRuterODIXabOpkMgxvJ05sfDKP+wCNnxjSCN0TUuf6bkPo0PdJFkgt
> /iVx37nnv8RXLW44lAQlx6eWw2LnzJ6IWOq58fIn3hNQODLL1wA4xuEWT/DBwSz7
> vGaEgdtIsYXoBbAN8pmNP9rpRfCc5Hr7ZuqQh2ZtBYtVrrSrSbqDS1vPJN9M8Ds=
> =g+Uz
> -----END PGP SIGNATURE-----



More information about the Oisf-users mailing list