• Support
  • Forums
  • Blogs

No source or destination IP on certain HIDS events after upgrade

tic.pavlintic.pavlin

New Life Form
+5
Hi!

After one of the upgrades in the past week, not sure which one, since I upgrade my systems regular, I have noticed that some of the HIDS events do not produce SRC or DST ip anymore. For example:


and probably more.

Any suggestion what should I do?

Thank you
Tic Pavlin

Share post:

Comments

  • In addition, I have found the following correlation:

    HIDS rules that are decoded incorrect ( without SRCIP and DSTIP in SIEM events ) have a rulegroup ( RG ) parameter in common - "web,appsec,attack":

    AV - Alert - "1518511521" --> RID: "31508"; RL: "6"; RG: "web,appsec,attack"; RC: "Blacklisted user agent (known malicious user agent)."; USER:
    "None"; SRCIP: "144.76.29.66"; HOSTNAME: (...)

    AV - Alert - "1518511714" --> RID: "31509"; RL: "3"; RG: "web,appsec,attack"; RC: "CMS (WordPress or Joomla) login attempt."; USER: "None";
    SRCIP: "62.149.211.160"; HOSTNAME: (...)

    but the rule with RG: "web,accesslog," does:

    AV - Alert - "1518511534" --> RID: "31101"; RL: "5"; RG: "web,accesslog,"; RC: "Web server 400 error code."; USER: "None"; SRCIP:
    "54.36.148.157"; HOSTNAME: 


    Only difference I've noticed is the rulegroup. SRCIP correctly is logged with raw event data.

    Tic Pavlin

  • I can confirm, that this issue has been fixed with today's ( 20.2.2018 ) update. 

    Thanks guys!

    Have a nice day and keep up the good work :) 
Sign In or Register to comment.