Gateway ip showing instead of source ip
42 views
Skip to first unread message
Giritharan Anandhan
May 5, 2023, 2:47:48 AM5/5/23
to Wazuh mailing list
Hello,
We are using wazuh App version: 4.4.1.
we got attacked through RDP when we opened for remote work but wazuh didn't showing the source ip of the attack instead showing our gateway ip
can you help me with this issue ?
Adedamola Okelola
May 5, 2023, 8:07:19 AM5/5/23
to Wazuh mailing list
Hello Giritharan,
To troubleshoot this issue, you should first check your firewall logs to see if they captured the source IP address of the attack. If the firewall did capture the IP address, it suggests that there may be a problem with the Wazuh configuration or log sources. In this case, you should review your Wazuh configuration and ensure that it's set up correctly to capture source IP addresses.
Thank you for using Wazuh!
We understand your concern regarding the source IP of the attack not being displayed in Wazuh. This could be due to the fact that the attack did indeed come through your gateway IP address. In this case, the gateway IP address would appear to be the source of the attack.
However, it's also possible that there is a configuration issue with Wazuh or your network that is preventing it from correctly identifying the source IP address of the attack.
To troubleshoot this issue, you should first check your firewall logs to see if they captured the source IP address of the attack. If the firewall did capture the IP address, it suggests that there may be a problem with the Wazuh configuration or log sources. In this case, you should review your Wazuh configuration and ensure that it's set up correctly to capture source IP addresses.
That being said, please share a sample log of the incident and the custom rule you have in place if any.
Regards.
Reply all
Reply to author
Forward
0 new messages