Article Number
000001376
Applies To
RSA Product Set: Security Analytics, NetWitness Logs & Network
RSA Product/Service Type: Concentrator, Broker, Investigation
RSA Version/Condition: 10.x, 11.x
Platform: CentOS
O/S Version: EL6, EL7
Issue
What is the difference between Source IP (ip.src), Destination IP (ip.dst), Originating IP (orig_ip) and Alias IP (alias.ip) meta keys in RSA Security Analytics / NetWitness Logs & Network?
Resolution
The ip.src and ip.dst meta are extracted from IP headers of the packet and represent Source and Destination IP addresses.
The Original IP (populated into orig_ip) meta is extracted from headers on the application layer. This could be for example HTTP header X-Forwarded-for attached by proxy to identify client IP (this is extracted by parser available from CMS Live). Another example is X-Originating-IP header entry extracted by MAIL parser from email headers.
The alias.ip meta is extracted from DNS response when resolving a name to IP address. E.g: if you request DNS name for www.example.com and the DNS server responds with X.X.X.X, this IP address is then recorded as alias.ip meta.
