QRadar: How the Source IP and Destination IP determined from events
How is the Source IP or Destination IP determined if it is not available in the Payload Information of an Event?
The event source sends an event to QRadar that does not contain a source or destination IP address, such as a SSH login event. This event type will usually only contains a source IP address and no destination IP address.
<83>Jul 8 16:10:08 10.10.10.10 sshd: error: PAM: Authentication failure for user1 from 10.10.10.20
When QRadar receives and processes event data, it must assign an IP address to the Source IP and Destination IP fields. QRadar looks in the following locations, to determine the IP address to use, in the following order:
- IP address fields in Payload Information
The availability of more detailed IP address information depends on each Log Source Type, as well as the events themselves, as not all events will contain IP address fields. If the source IP address in available, the Source IP field will be updated with this information. If source IP information is not available, then it will remain as it was last set in the previous step. The same is true of destination IP information. If destination information is not available then it will remain set as either the Syslog hostname field, if an IP was available, else it will remain set as the source of the packet.
- The hostname field in the Syslog header
QRadar will look for an IP address in the hostname field of the Syslog header, if available.
Note: Not all Syslog sources use proper headers.
If an IP address is found, the Source IP and Destination IP fields are updated with this IP address. If the hostname field contains a textual hostname, then it is not used. QRadar will not do a DNS lookup on a hostname, as it would take too much time to do for every event, and would affect pipeline throughput capacity.
- The source IP address of the packet the event came from, when received by QRadar
The Source IP and Destination IP fields are set to the source IP address of the packet itself. This would be the device that sent the data to QRadar. If you are using an existing, centralized Syslog server to forward events to QRadar, you may often see the IP address of the Syslog server in the Source IP and Destination IP fields.
The best ways to avoid this is to do one of the following:
- Set the Log Source device to send Syslog directly to QRadar.
- Preserve the initial Syslog headers, and have the originating devices configured to send an IP address in the hostname filed of the Syslog header.
- Reconfigure your Syslog server to prepend a new Syslog header to the events it forwards to QRadar, with the originating devices IP address in the hostname header field.
<182>Dec 15 10:56:58 10.10.10.2 - Aug 15 2015 10:56:57: %PIX-5-304001: 10.10.10.113 Accessed URL <PUBLIC IP ADDRESS>:/rss20.xml
In the example above, there is a Cisco PIX firewall event. Not shown here, the source IP of this packet is that of a central Syslog server. The central Syslog server has an IP address of 10.10.10.5. QRadar uses the source IP of the packet to first set both the Source IP and Destination IP fields to 10.10.10.5.
Cisco PIX firewall messages do not normally include standard Syslog headers, however, the administrator of the Syslog server configured the server to prepend a new Syslog header to the event. The administrator of the centralized syslog server set the hostname field of the prepended Syslog header as the IP address of the Cisco PIX firewall. This is seen in the above example as 10.10.10.2. As the Syslog header is available, and does contain an IP address in the hostname field, QRadar now sets the Source IP and Destination IP fields to the this IP address.
QRadar then parses any IP address fields from the Payload Information of the event, if present. In the above example, we can see that the source IP is 10.10.10.113. It can also be seen in the above example that the destination address is <PUBLIC IP ADDRESS>; most likely a remote web server in this case.
Note: It is recommended to configure Log Sources to include a complete, properly formatted, Syslog header that includes an IP address, rather than a text-based hostname.
Where do you find more information?
Translate this page: