[Oisf-users] source IP address catched by inline suricate

liao zhuodi liao_zd at foxmail.com
Fri Feb 13 07:27:29 UTC 2015


Here is my inline suricata network infrastructure:

[PCs(LAN ip dhcp)] <—> [LAN Router(ip 10.10.10.50)] <—> [(eth0 ip 10.10.10.1)Suricata box(wlan0 ip dhcp)] <--> WLAN

one of my http.log:

02/10/2015-17:30:37.892874 tp4.sinaimg.cn [**] /2832063327/180/5640107632/1 [**] Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.111 Safari/537.36 [**] 10.10.10.50:57985 -> 103.229.32.27:80

As you can see, suricate can catch the LAN Router IP, 10.10.10.50, but the really source ip is from some PC inside the LAN, how can detect and record that IP in each suricate log. Is there a way I can get the LAN ip address from the very beginning PC? Not just router IP address.

My iptables:
iptables -vnL

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
4130K 3184M NFQUEUE    all  --  *      *       0.0.0.0/0            0.0.0.0/0            NFQUEUE num 0


Liao






More information about the Oisf-users mailing list