my idea to use the real ip instead 0.0.0.0 is to organize the alerts at
base ...
for example, i have a server that monitor many agents ... using base for
analise the alerts, i can' t order by host, the alerts are mixed ...
if use the dstip like real ip, i can go to dest ip addrs -> select an ip
and i got all the alerts from that host, it's possible make this
comparison that you explain using the srcip like 0.0.0.0 or real ip ...
i will not hesitate, it's a productive debate.
--
________________________________________
Leonardo Goldim - Auditoria Intranetworks
[EMAIL PROTECTED]
Intranetworks
Rua Marquês do Pombal 1710/805
Porto Alegre - RS - 90540-000
+55 51 3325-5700
+55 51 8415-8604
Meir Michanie wrote:
On 9/13/06, *Leonardo Goldim* <[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>> wrote:
Isn't better the dst ip is always the agent (if agent-server)
or the
machine (if local installation) and the src ip the ip that try to
connect or 127.0.0.1 <http://127.0.0.1> if is something local ?
I believe that using this way is better to organize information at
BASE, right ?
I use srcip 0.0.0.0 <http://0.0.0.0> To indicate that it may not be a
network related alert ( like new user). If I would use 127.0.0.1
<http://127.0.0.1> then I would be mixing real srcip alert from
127.0.0.1 <http://127.0.0.1> of a network related alert like ssh from
localhost
Please do not hesitate to continue the debate.
