Question & Answer
Why does the Source IP for the Symantec Endpoint Protection not matching what is in the payload?
Events are interpreted based on whether they are Inbound or Outbound
Symantec Endpoint Protection events are parsed according to whether they are Inbound or Outbound. Inbound rules will have the Source IP equal to the Remote IP inside the payload. Outbound rules will have the Source IP equal to the Local IP inside the payload. This is Intentional.
<50>Nov 11 17:57:58 SymantecServer test08: ADMIN-test,Local: 96.x.x.x,Local: 0,Local: 01005E000001,Remote: 180.x.x.x,Remote: ,Remote: 0,Remote: 0024975F762B,8,
Inbound,Begin: 2015-11-10 22:35:30,End: 2015-11-10 22:35:30,Occurrences: 1,Application: ,Rule: Allow IGMP traffic,Location: IBM VPN,User: *******,Domain: ADMIN-test,Action: Allowed
The payload above will show up in QRadar with a Source IP of 180.x.x.x and a Destination IP of 96.x.x.x because the event is Inbound.
Where do you find more information?
Was this topic helpful?
31 August 2018