how to detect source ip address in win event log
4,920 views
Skip to first unread message
Aytekin Döne
Aug 20, 2019, 4:05:47 PM8/20/19
to Wazuh mailing list
Hi All
I want to detect ip of the attackers in windows event log..which field should I filter in the windows logs?
when i filter as follows, just ::1 seems
Thanks
Juan Carlos
Aug 20, 2019, 11:24:03 PM8/20/19
to Wazuh mailing list
Hello Aytekin,
::1 is the IP of the loopback address in IPv6's abbreviated address representation (the equivalent of 127.0.0.1 in ipv4). Its unabbreviated expression would be 0000:0000:0000:0000:0000:0000:0000:0001
It seems that you do not have events with external IPs, are you sure you should have some?
Could there be a filter or search that is excluding them?.
Best Regards,
Juan Carlos Tello
Aytekin Döne
Aug 21, 2019, 10:44:29 AM8/21/19
to Juan Carlos, Wazuh mailing list
Thanks Juan
But when i try RDP connection to my server from public network i get following logs that not dont include ip address.
Juan Carlos <juancarl...@wazuh.com>, 21 Ağu 2019 Çar, 06:24 tarihinde şunu yazdı:
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/4e82a18e-511a-4356-96a6-1d3beb6d4224%40googlegroups.com.
Juan Carlos
Aug 22, 2019, 12:29:19 PM8/22/19
to Wazuh mailing list
Hello Aytekin,
Sorry for the delay in reply.
Is it possible you are seeing a login attempt from the same computer instead of a remote connection?
I have just verified this on a system with Wazuh v3.9.5 and it is working correctly:
Best Regards,
Juan Carlos Tello
On Wednesday, August 21, 2019 at 7:44:29 AM UTC-7, Aytekin Döne wrote:
Thanks JuanBut when i try RDP connection to my server from public network i get following logs that not dont include ip address.
Juan Carlos, 21 Ağu 2019 Çar, 06:24 tarihinde şunu yazdı:
Aytekin Döne
Aug 23, 2019, 5:51:47 AM8/23/19
to Juan Carlos, Wazuh mailing list
Hi Juan
Unfortunately, the IP address for this rule does not appear. i wonder if should i configuration on the my server in event logs?
i found that issue in this forum
Juan Carlos <juancarl...@wazuh.com>, 22 Ağu 2019 Per, 19:29 tarihinde şunu yazdı:
Hello Aytekin,Sorry for the delay in reply.Is it possible you are seeing a login attempt from the same computer instead of a remote connection?I have just verified this on a system with Wazuh v3.9.5 and it is working correctly:Best Regards,Juan Carlos Tello
On Wednesday, August 21, 2019 at 7:44:29 AM UTC-7, Aytekin Döne wrote:Thanks JuanBut when i try RDP connection to my server from public network i get following logs that not dont include ip address.Juan Carlos, 21 Ağu 2019 Çar, 06:24 tarihinde şunu yazdı:Hello Aytekin,::1 is the IP of the loopback address in IPv6's abbreviated address representation (the equivalent of 127.0.0.1 in ipv4). Its unabbreviated expression would be 0000:0000:0000:0000:0000:0000:0000:0001It seems that you do not have events with external IPs, are you sure you should have some?Could there be a filter or search that is excluding them?.Best Regards,Juan Carlos Tello
On Tuesday, August 20, 2019 at 1:05:47 PM UTC-7, Aytekin Döne wrote:Hi AllI want to detect ip of the attackers in windows event log..which field should I filter in the windows logs?when i filter as follows, just ::1 seemsThanks
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/a771d557-c2e3-41f5-a620-deb1f3810fc4%40googlegroups.com.
Juan Carlos
Aug 29, 2019, 3:27:13 PM8/29/19
to Wazuh mailing list
Hello Aytekin,
Sorry for the late response. I have not managed to reproduce this behavior except by doing RDP requests from the same machine.
Could it be possible you are using that same machine as a proxy for these requests?.
Indeed the issue seems to lie outside the log collecting capabilities of Wazuh as the Windows Event Logs are providing that information.
Please let us know if you have any further information on this behavior and we'll be glad to look into it.
Best Regards,
Juan Carlos Tello
Zulfikar Caglar
Aug 29, 2019, 5:48:58 PM8/29/19
to Juan Carlos, Wazuh mailing list
Hello Aytekin,
If I don't get you wrong, you're connecting to a computer in the LAN over the Internet with RDP. the internal computer is communicating to the internet with a public ip address on the firrewall. this is also called NAT. Within NATed traffic, the destination ip address is changed to your computer's ip address and the source ip address is changed to your firewall local ip address. the real public ip address knows only the firewall, your computer inside does not know. when replying to it, the source ip address to which it sends packets back is the firewall local ip address. this is the nature of the NAT process.
If I don't get you wrong, you're connecting to a computer in the LAN over the Internet with RDP. the internal computer is communicating to the internet with a public ip address on the firrewall. this is also called NAT. Within NATed traffic, the destination ip address is changed to your computer's ip address and the source ip address is changed to your firewall local ip address. the real public ip address knows only the firewall, your computer inside does not know. when replying to it, the source ip address to which it sends packets back is the firewall local ip address. this is the nature of the NAT process.
Install wireshark on the computer you are connected with RDP and start capturing traffic, then re-apply the scenario. Stop capturing after connecting with RDP. review wireshark logs; As you can see, the source ip address field will be 192.168.1.1 (firewall local address or default gateway), and the destination ip address will be the computer you are connecting to as 192.168.1.5. you will find another field called originate source ip address in the same capture package. this will be the public ip address you connect to from the outside. This last field does not appear in Windows log records. Because windows knows that the source that speaks to itself is the default gateway (firewall). this information appears in the pcap log, because pcap records low level traffic.
I suggest you install Suricata on your local network. mirror all internal traffic of the firewall to the Suricata via the switch. Integrate Suricata with Wazuh. You can also take pcap logs that are also created in Suricata as log on Wazuh. after that you can create an alarm by following the rules on Wazuh. I did this in my own environment.
Zufikar CAGLAR
Juan Carlos <juancarl...@wazuh.com>, 29 Ağu 2019 Per, 22:27 tarihinde şunu yazdı:
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/4f2c6857-12ba-4191-a328-71f073390eec%40googlegroups.com.
Aytekin Döne
Sep 3, 2019, 5:31:25 AM9/3/19
to Zulfikar Caglar, Juan Carlos, Wazuh mailing list
Thanks for your info Zulfikar,
You are right.but i can display public ips that related with RDP connections on event logs on my external server . I actually need something like this.
Zulfikar Caglar <zulfika...@gmail.com>, 30 Ağu 2019 Cum, 00:48 tarihinde şunu yazdı:
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/CAMeA8-k4JEa00Mk9hkG%2BRfV1JXz0JZmx-95MN4K89p4AhL-gxQ%40mail.gmail.com.
Juan Carlos
Sep 9, 2019, 5:50:46 PM9/9/19
to Wazuh mailing list
Hello Aytekin,
Is this a different Windows Event from the one being logged by Wazuh?
Does it contain the source information you're looking for?
If so, we will be able to provide better assistance if you provide sample logs to verify how the Wazuh analysisd daemon reacts to it and what may be necessary to achieve your goal.
Best Regards,
Juan Carlos Tello
Reply all
Reply to author
Forward
0 new messages