Breadcrumbs

Origin Interface

The network port or interface from which the activity originated (for example, attacker or client).

Data Type

String

Aliases

Use

Alias

Client Console Full Name

Interface (Origin)

Client Console Short Name

Not applicable

Web Console Tab/Name

Interface (Origin)

Elasticsearch Field Name

originInterface

Rule Builder Column Name

sinterface

Regex Pattern

<sinterface>

NetMon Name

Not applicable

Field Relationships

  • SIP
  • SIPv4
  • SIPv6
  • SIPv6E
  • Origin Hostname
  • Origin Hostname or IP
  • Origin NAT IP
  • DIP
  • DIPv4
  • DIPv6
  • DIPv6E
  • Impacted Hostname
  • Impacted Hostname or IP
  • Impacted NAT IP


  • Origin Port
  • Origin NAT Port
  • Impacted Port
  • Impacted NAT Port
  • Origin MAC Address
  • Impacted MAC Address
  • Impacted Interface
  • Origin Domain
  • Impacted Domain
  • Origin Login
  • Impacted Account
  • IANA Protocol Number
  • IANA Protocol Name

Common Applications

  • Switches

  • Firewalls

  • Network equipment

Use Case

Troubleshooting connectivity.

MPE/Data Masking Manipulations

Not applicable.

Usage Standards

  • Origin is Client (In Client-Server Model).

  • Origin is Attacker (In Attacker-Target Model).

  • If you have more than just a port number (for example, a switch ID), capture full interface name including switch ID.

  • A Wireless Access Point can be an interface.

Examples

  • FortiGate

02 25 2010 13:56:25 1.1.1.1 <LOC5:ALRT> date=2010-02-25 time=13:56:25 devname=FG322222222222222 device_id=FG2222222222 log_id=0419016384 type=ips subtype=signature pri=alert fwver=040003 severity=critical carrier_ep="N/A" profile="scan" src=1.1.1.1 dst=1.1.1.1 src_int="port1" dst_int="port2" policyid=48 serial=23455436 status=detected proto=6 service=2612/tcp vd="root" count=1 src_port=80 dst_port=2612 attack_id=107347979 sensor="all_default" ref="http://Host1/ids/VID107347979" user="N/A" group="N/A" incident_serialno=128862663 msg="http_decoder: HTTP.Request.Smuggling"

Firewall log showing a signature detection with interface src (origin). In this case, the possible attacker (origin) is represented as source from the Firewall perspective.

  • Squid Proxy

2014/05/01 10:45:29| Accepting  spoofing HTTP connections at 1.1.1.1:3128, FD 14.

Connection origin showing IP and corresponding interface.

  • Juniper Firewall

08 23 2016 09:56:43 1.1.1.1 <USER:INFO> 1 2016-08-23T14:56:42.429Z USABLDRRECFLOW01 RT_FLOW - RT_FLOW_SESSION_CREATE [junos@1.1.1.1.2.40 source-address="1.1.1.1" source-port="57101" destination-address="1.1.1.1" destination-port="443" service-name="junos-https" nat-source-address="1.1.1.1" nat-source-port="57101" nat-destination-address="1.1.1.1" nat-destination-port="443" src-nat-rule-type="static rule" src-nat-rule-name="ARUBA_RAP_WLC3600_xlate" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="EMEA_ARUBA_GUEST_ACCESS" source-zone-name="FRONTEND_DMZ" destination-zone-name="INTERNET" session-id-32="83048" username="N/A" roles="N/A" packet-incoming-interface="reth5.0" application="UNKNOWN" nested-application="UNKNOWN" encrypted="UNKNOWN"]

Showing inbound interface in flow.

  • Cisco Router

10 09 2016 01:59:26 1.1.1.1 <LOC7:ERRR> Original Address=1.1.1.1 39296: Oct  9 01:59:48: %ILPOWER-3-CONTROLLER_PORT_ERR: Controller port error, Interface Gi4/0/38: Power Controller reports Short detected

Parse full interface Gi4/0/38.