Breadcrumbs

DIP/DestinationIP/Impacted IP

The host IP that was affected by the activity (for example, target or server). Destination IP in IPv4 or IPv6 format.

Data Type

IP

Aliases

Use

Alias

Client Console Full Name

Host (Impacted)

Client Console Short Name

Not applicable

Web Console Tab/Name

Host (Impacted)

Elasticsearch Field Name

impactedIp

Rule Builder Column Name

DIP

Regex Pattern

<dip>

NetMon Name

Not applicable

Field Relationships

  • SIP
  • SIPv4
  • SIPv6
  • SIPv6E
  • Origin Hostname
  • Origin Hostname or IP
  • Origin NAT IP
  • DIPv4
  • DIPv6
  • DIPv6E
  • Impacted Hostname
  • Impacted Hostname or IP
  • Impacted NAT IP
  • Origin Port


  • Origin NAT Port
  • Impacted Port
  • Impacted NAT Port
  • Origin MAC Address
  • Impacted MAC Address
  • Origin Interface
  • Impacted Interface
  • Origin Domain
  • Impacted Domain
  • Origin Login
  • Impacted Account
  • IANA Protocol Number
  • IANA Protocol Name

Common Applications

Networked equipment

Use Case

Host context

MPE/Data Masking Manipulations

Polyfield – Impacted Host

Usage Standards

  • Do not override/overload, use <dip> not (?<dip>.*?).

  • Impacted is server (In Client-Server Model).

  • Impacted is Target (In Attacker-Target Model).

  • Use when you see an Impacted IP address IPv4 or IPv6, unless it is an IPv4 address mapped to IPv6, in which case use <dipv6e>.

Examples

  • FireEye Web MPS

02 01 2016 17:13:19 1.1.1.1 <LOC4:WARN> fenotify-609081.warning: CEF:0|FireEye|MPS|1.1.1.1875|IM|infection-match|1|rt=Feb 01 2016 23:13:10 UTC src=1.1.1.1 cn3Label=cncPort cn3=80 cn2Label=sid cn2=84575103 shost= USABLDRRECFLOW01proto=tcp spt=51997 dst=1.1.1.1 cs5Label=cncHost cs5=1.1.1.1 dvchost=romaslcmp01 dvc=1.1.1.1 smac=00:00:00:00:00:00 cn1Label=vlan cn1=0 dpt=80 externalId=609081 cs4Label=link cs4=THINGS dmac=00:00:00:00:00:00 cs1Label=sname cs1=Exploit.Kit.AnglerDIPv4

Src= in this instance is the host IP impacted by the infection match described in the log. (Attacker-Target). Dst= is the command and control server and therefore the closest Origin (attacker) to be inferred from the log.

  • Brocade Switch

03 01 2017 02:08:41 1.1.1.1 <LOC6:NOTE> Mar  1 02:08:38 USABLDRRECFLOW01dataplane[2287]: fw rule INTERNAL-IN:10000 block udp(17) src= USABLDRRECFLOW01/0:00:00:0a:ea:e8/fe80::e0c0:f0f0:e00c:2029(546) dst=/22:22:2:1:0:2/ff22::2:2(547) len=159 hoplimit=1 len=119

Dst= IPv6 address following the MAC ID. Network context showing direction src->dst.