SIPv6E
The IPv4 IP address mapped to IPv6e from which activity originated (for example, attacker or client).
Data Type
IP
Aliases
| Use | Alias |
|---|---|
Client Console Full Name | Host (Origin) |
Client Console Short Name | Not applicable |
Web Console Tab/Name | Host (Origin) |
Elasticsearch Field Name | originIpV6 |
Rule Builder Column Name | SIP |
Regex Pattern | <sipv6e> |
NetMon Name | Not applicable |
Field Relationships
- SIP
- SIPv4
- SIPv6
- Origin Hostname
- Origin Hostname or IP
- Origin NAT IP
- DIP
- DIPv4
- DIPv6
- DIPv6E
- Impacted Hostname
- Impacted Hostname or IP
- Impacted NAT IP
- Origin Port
- Origin NAT Port
- Impacted Port
- Impacted NAT Port
- Origin MAC Address
- Impacted MAC Address
- Origin Interface
- Impacted Interface
- Origin Domain
- Impacted Domain
- Origin Login
- Impacted Account
- IANA Protocol Number
- IANA Protocol Name
Common Applications
Networked equipment.
Use Case
Host context
MPE/Data Masking Manipulations
Polyfield – Origin Host
Usage Standards
- Do not override/overload, use <sipv6e> not (?<sipv6e>.*?).
- Origin is Client (In Client-Server Model).
- Origin is Attacker (In Attacker-Target Model).
- Use when you see an Origin IPv4 address mapped to IPv6.
Examples
- Townsend Alliance LogAgent
11 02 2015 22:10:02 1.1.1.1 <ALRT:INFO> Nov 2 22:09:39 USABLDRRECFLOW01QAUDJRN:[PW@0 event="PW-Invalid user or password" event_type="Q-Signon failed profile disabled" actual_type="PW-Q" user_profile="PSTORE" device="" jrn_seq="6849716" timestamp="20151102220939315000" job_name="QZSOSIGN" user_name="QUSER" job_number="535772" eff_user="QUSER" ip_addr="::ffff:1.1.1.1" port="52584"]
::ffff:1.1.1.1 is an IPv4 IP mapped to IPv6. Traditional <sip> and <dip> IP parsers do not work with this type of IP.