• Support
  • Forums
  • Blogs
A New Community Experience is Coming! For more information, please see our announcement.

No source or destination IP on certain HIDS events after upgrade


New Life Form

After one of the upgrades in the past week, not sure which one, since I upgrade my systems regular, I have noticed that some of the HIDS events do not produce SRC or DST ip anymore. For example:

and probably more.

Any suggestion what should I do?

Thank you
Tic Pavlin

Share post:


  • In addition, I have found the following correlation:

    HIDS rules that are decoded incorrect ( without SRCIP and DSTIP in SIEM events ) have a rulegroup ( RG ) parameter in common - "web,appsec,attack":

    AV - Alert - "1518511521" --> RID: "31508"; RL: "6"; RG: "web,appsec,attack"; RC: "Blacklisted user agent (known malicious user agent)."; USER:
    "None"; SRCIP: ""; HOSTNAME: (...)

    AV - Alert - "1518511714" --> RID: "31509"; RL: "3"; RG: "web,appsec,attack"; RC: "CMS (WordPress or Joomla) login attempt."; USER: "None";
    SRCIP: ""; HOSTNAME: (...)

    but the rule with RG: "web,accesslog," does:

    AV - Alert - "1518511534" --> RID: "31101"; RL: "5"; RG: "web,accesslog,"; RC: "Web server 400 error code."; USER: "None"; SRCIP:
    ""; HOSTNAME: 

    Only difference I've noticed is the rulegroup. SRCIP correctly is logged with raw event data.

    Tic Pavlin

  • I can confirm, that this issue has been fixed with today's ( 20.2.2018 ) update. 

    Thanks guys!

    Have a nice day and keep up the good work :) 
Sign In or Register to comment.