Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1919
Views
0
Helpful
1
Replies

Original Client IP

gordonwright
Level 1
Level 1

‎06-11-2015 01:38 AM - last edited on ‎03-25-2019 06:15 PM by Community Manager

We send Discovery Events, Intrusion Event Packet Data, Intrusion Events & Intrusion Event Extra Data using the estreamer client into our SIEM tool.

I cannot find the "Original Client IP" address field in my SIEM. Does the streamer client actually send this field?
 
I have it enabled in the HTTP pre-processor policy but don't see it listed as an option and I see the field populated in the Intrusion Events tab.
Labels:
0 Helpful
1 Reply 1

jmoorhouse
Level 1
Level 1

‎11-04-2015 08:00 AM

I think it can do it with "X-Forwarded-For" header but not "Original Client IP" header. 

https://www.cisco.com/c/dam/en/us/td/docs/security/firesight/531/PDFs/FireSIGHT-System-eStreamer-Integration-Guide-5-3-1.pdf  page 77 of the pdf shows the detail on the Extra Data records and XFF for IPv4 and IPv6.

my understanding is that estreamer will only send it if the SIEM is requesting "Extra Data" from Sourcefire.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card