What is the difference between Source IP, Destination IP, Originating IP and Alias IP meta keys in RSA Security Analytics/NetWitness Platform?

Issue

What is the difference between Source IP (ip.src), Destination IP (ip.dst), Originating IP (orig_ip) and Alias IP (alias.ip) meta keys in RSA Security Analytics / NetWitness Logs & Network?

Resolution

The ip.src and ip.dst meta are extracted from IP headers of the packet and represent Source and Destination IP addresses.

The Original IP (populated into orig_ip) meta is extracted from headers on the application layer. This could be for example HTTP header X-Forwarded-for attached by proxy to identify client IP (this is extracted by parser available from CMS Live). Another example is X-Originating-IP header entry extracted by MAIL parser from email headers.

The alias.ip meta is extracted from DNS response when resolving a name to IP address. E.g: if you request DNS name for www.example.com and the DNS server responds with X.X.X.X, this IP address is then recorded as alias.ip meta.

Internal Comments

UserName:wirthr1
6/21/2012 3:08:43 PM - Solution Number 00000538
Solution Number 00000538

UserName:shurtj
6/6/2014 9:17:00 PM - Changed Article Type
Changed article type from corrective to how-to and modified statements accordingly to adhere to Primus best practices.

Product Details

RSA Product Set: Security Analytics, NetWitness Logs & Network
RSA Product/Service Type: Concentrator, Broker, Investigation 
RSA Version/Condition: 10.x, 11.x
Platform: CentOS
O/S Version: EL6, EL7

Approval Reviewer Queue

RSA NetWitness Suite Approval Queue