9 Replies Latest reply on Oct 7, 2016 1:56 AM by xded

    SRc and Dst IP address ::

    dindsy

      I am getting source and destination IP addresses of :: in the event windows.

      Is this supposed to represent and IPv6 address and it just can't? what other reasons am I not seeing an IP address?

       

      thanks.

        • 1. Re: SRc and Dst IP address ::
          xded

          Hi dindsy,

           

          the :: is shown if the events comes more than one times. It means this event in aggregated. Take a look on the Receiver properties on Event Aggregation. And take a look on the Eventproperties. Go to this Event click on the pancakemenu and click on show rule, there is a row named Aggregation un can shut off this aggregation for this rule.

           

          And No this is not the ipv6 address.

          • 2. Re: SRc and Dst IP address ::
            dindsy

            Thanks. Makes sense.

            • 3. Re: SRc and Dst IP address ::
              arnieos

              Hi xded,

               

              What about if the event count is only 1 and destination IP is still :: ? I don't see any aggregation if event count is only 1.

               

              Thanks in advance.

              • 4. Re: SRc and Dst IP address ::
                yd9038

                Here's what the Product Guide says about "::"

                 

                The source IP and destination IP address "not-set" values or aggregated values appear as "::" instead of as "0.0.0.0" in all result sets.

                For example:

                 

                • ::ffff:10.0.12.7 is inserted as 0:0:0:0:0:FFFF:A00:C07 (A00:C07 is 10.0.12.7)

                • ::0000:10.0.12.7 would be 10.0.12.7

                 

                 

                Here's an example:

                You would see both source and destination IP addresses in "A Kerberos authentication ticket (TGT) was requested" event, as there is more than one host involved with authentication events. Here, the client host is requesting TGT from the server, and we would see both source (client) and destination (server) IP addresses in this example.

                 

                You would only see the source IP address which is the IP of the datasource in "Application Crash" event' because the event of application crash occurred on the host (datasource), no other hosts involved. The destination IP address will show as "::" in the event view in this case.

                1 of 1 people found this helpful
                • 5. Re: SRc and Dst IP address ::
                  arnieos

                  Hi yd9038,

                   

                  Thanks for your response, appreciate it.

                  How about for this particular example?

                   

                  1.JPG

                  Will you be able to explain it? I'm new to ESM so I'm still learning all its features.

                   

                  Thanks in advance.

                  • 6. Re: SRc and Dst IP address ::
                    yd9038

                    I think that's because the domain controller does not log the IP address of the workstation where the password change request came from.

                    I just looked at the event that was logged on DC when I changed my password, and only IP address I see in the event packet is the IP address of the DC.

                    The password change is happening on the DC as an internal event and that's why we only see the IP of it as the source IP in ESM, there is no destination IP in the event, and the ESM parses that as "::".

                    1 of 1 people found this helpful
                    • 7. Re: SRc and Dst IP address ::
                      arnieos

                      Now I get it!!!

                      I checked the source IP of the event and it points to our DC not the user's workstation where the reset took place.

                      But why does ESM not record the workstation where it happened? I think it's an important piece of information.

                       

                      Thanks for sharing your knowledge on this matter. I greatly appreciate it.

                      • 8. Re: SRc and Dst IP address ::
                        yd9038

                        With SIEM, you are just collecting logs from other network devices. It will parse whatever data it receives from datasources. There is no destination IP in in the event in this example, and there is nothing for SIEM to parse for Destination IP field, that's why it is just "::".

                         

                        You can collect logs from workstation too, and you will probably see when password of a local user account is changed. It is the domain controller where the password for domain accounts are reset/changed. The example you provided is from a domain controller that you have as a datasource in SIEM, that's why you see its IP as the source IP address.

                        • 9. Re: SRc and Dst IP address ::
                          xded

                          Nice thx