Vitor:
it seems that your alert logs shows that the log was generated by the agent.
We have to work to make ossec-hids report dstip by parsing the event and reporting it to the log, so I do not have to make it up.
On 9/14/06, Leonardo Goldim <[EMAIL PROTECTED]> wrote:
sorry, but i don't understand your answer ...
like is today, the dstip is the agent ip ?
in my base, the dstip and the srcip are the same, it's right ?
--
________________________________________
Leonardo Goldim - Auditoria Intranetworks
[EMAIL PROTECTED]
Intranetworks
Rua Marquês do Pombal 1710/805
Porto Alegre - RS - 90540-000
+55 51 3325-5700
+55 51 8415-8604
Meir Michanie wrote:
>
>
> On 9/14/06, *Leonardo Goldim* <[EMAIL PROTECTED]
> <mailto:[EMAIL PROTECTED] >> wrote:
>
>
> my idea to use the real ip instead 0.0.0.0 <http://0.0.0.0> is to
> organize the alerts at
> base ...
> for example, i have a server that monitor many agents ... using
> base for
> analise the alerts, i can' t order by host, the alerts are mixed ...
>
>
> Why not? the agent is the dst ip. sort by dstip.
>
>
> if use the dstip like real ip, i can go to dest ip addrs -> select
> an ip
> and i got all the alerts from that host, it's possible make this
> comparison that you explain using the srcip like 0.0.0.0
> <http://0.0.0.0> or real ip ...
>
> The dst ip is the one who has logged the event
> and src ip is either a know network real IP or null if unknown or not
> network related.
