|Applies To||RSA Security Analytics|
RSA Security Analytics Decoder
RSA Security Analytics Log Decoder
RSA Security Analytics Concentrator
RSA Security Analytics Hybrid
RSA Security Analytics Broker
RSA NetWitness NextGen
RSA NetWitness Investigator
|Issue||What is the difference between Source IP, Destination IP, Originating IP and Alias IP meta in RSA Security Analytics?|
How can I tell the difference between ip.src, ip.dst, orig_ip, and alias.ip meta in NetWitness?
The ip.src and ip.dst meta are extracted from IP headers of the packet and represent Source and Destination IP addresses.
The Original IP (populated into orig_ip) meta is extracted from headers on application layer.THis could be for example HTTP header X-Forwarded-for attached by proxy to identify client IP (this is extracted by parser available from CMS Live). Another example is X-Originating-IP header entry extracted by MAIL parser from email headers.
The alias.ip meta is extracted from DNS response when resolving name to IP address. Eg if you request DNS name for www.example.com server will respond with X.X.X.X and this IP address is then recorded as alias.ip meta.
|Legacy Article ID||a58907|