[Oisf-users] source IP address catched by inline suricate
liao zhuodi
liao_zd at foxmail.com
Fri Feb 13 07:27:29 UTC 2015
Here is my inline suricata network infrastructure:
[PCs(LAN ip dhcp)] <—> [LAN Router(ip 10.10.10.50)] <—> [(eth0 ip 10.10.10.1)Suricata box(wlan0 ip dhcp)] <--> WLAN
one of my http.log:
02/10/2015-17:30:37.892874 tp4.sinaimg.cn [**] /2832063327/180/5640107632/1 [**] Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.111 Safari/537.36 [**] 10.10.10.50:57985 -> 103.229.32.27:80
As you can see, suricate can catch the LAN Router IP, 10.10.10.50, but the really source ip is from some PC inside the LAN, how can detect and record that IP in each suricate log. Is there a way I can get the LAN ip address from the very beginning PC? Not just router IP address.
My iptables:
iptables -vnL
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
4130K 3184M NFQUEUE all -- * * 0.0.0.0/0 0.0.0.0/0 NFQUEUE num 0
Liao
More information about the Oisf-users
mailing list