Project

General

Profile

Actions

Bug #1893

closed

tls: src_ip and dest_ip reversed in TLS events for IPS vs IDS mode.

Added by Jason Ish about 8 years ago. Updated about 8 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

In IDS mode when making an HTTPS request (or probably any TLS request) the src_ip is client address and the dest_ip is the server address.

In IPS mode (real, or with --simulate-ips) the same request results in the src_ip being the server address and the dest_ip being the client.

These should be consistent regardless of mode.

Attached is a pcap doing a HEAD request over https to www.google.com that can show the issue with --simulate-ips.


Files

https-www-google-com-head.pcap (8.21 KB) https-www-google-com-head.pcap Jason Ish, 09/19/2016 10:23 AM
Actions

Also available in: Atom PDF