Hello all, I have a problem with the /var/log/suricata/fast.log file, when I attack towards ip 192.168.9.10, namely the server, and in /var/log/suricata/fast.log the traffic is running but towards ip suricata 192.168.9.20 in the log, help me solve this so that the target ip is as intended.
thanks
Please provide more details about your setup, like suricata version, suricata.yaml, run command, which runmode you use and how you forward the traffic.
berikut terlampir file suricata.yaml, for traffic I use nat destination from ip server to ip suricata
suricata.yaml (83.9 KB)
You are still lacking details:
suricata.logWithout a proper and verbose description, we won’t be able to help you
Suricata version 7.06
run command
suricata.log
I configured on the proxy, namely destinating packets heading to the server to suricata using nat, the packet can be detected by suricata, but the ip in the suricata log only shows the suricata ip, even though the ip attacked is the server ip.
So you do NAT before you forward the packets to the Suricata machine?
If you change the destination IP it would be obvious why the IP is different.
Ideally do a tcpdump run there as well and look into the content there to compare it and maybe provide the pcap.