000026848 - What is the difference between Source IP  Destination IP  Originating IP and Alias IP meta in RSA Security Analytics?

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000026848
Applies ToRSA Security Analytics
RSA Security Analytics Decoder
RSA Security Analytics Log Decoder
RSA Security Analytics Concentrator
RSA Security Analytics Hybrid
RSA Security Analytics Broker
RSA NetWitness NextGen
RSA NetWitness Investigator
IssueWhat is the difference between Source IP, Destination IP, Originating IP and Alias IP meta in RSA Security Analytics?
How can I tell the difference between ip.src, ip.dst, orig_ip, and alias.ip meta in NetWitness?
Resolution

The ip.src and ip.dst meta are extracted from IP headers of the packet and represent Source and Destination IP addresses.

The Original IP (populated into orig_ip) meta is extracted from headers on application layer.THis could be for example HTTP header X-Forwarded-for attached by proxy to identify client IP (this is extracted by parser available from CMS Live). Another example is X-Originating-IP header entry extracted by MAIL parser from email headers.

The alias.ip meta is extracted from DNS response when resolving name to IP address. Eg if you request DNS name for www.example.com server will respond with X.X.X.X and this IP address is then recorded as alias.ip meta.

Legacy Article IDa58907

Attachments

    Outcomes