000026848 - What is the difference between Source IP, Destination IP, Originating IP and Alias IP meta keys in RSA Security Analytics/NetWitness Platform?

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Sep 26, 2019
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000026848
Applies ToRSA Product Set: Security Analytics, NetWitness Logs & Network
RSA Product/Service Type: Concentrator, Broker, Investigation 
RSA Version/Condition: 10.x, 11.x
Platform: CentOS
O/S Version: EL6, EL7
IssueWhat is the difference between Source IP (ip.src), Destination IP (ip.dst), Originating IP (orig_ip) and Alias IP (alias.ip) meta keys in RSA Security Analytics / NetWitness Logs & Network?

The ip.src and ip.dst meta are extracted from IP headers of the packet and represent Source and Destination IP addresses.

The Original IP (populated into orig_ip) meta is extracted from headers on the application layer. This could be for example HTTP header X-Forwarded-for attached by proxy to identify client IP (this is extracted by parser available from CMS Live). Another example is X-Originating-IP header entry extracted by MAIL parser from email headers.

The alias.ip meta is extracted from DNS response when resolving a name to IP address. E.g: if you request DNS name for www.example.com and the DNS server responds with X.X.X.X, this IP address is then recorded as alias.ip meta.

Legacy Article IDa58907