none
SYSMON log, reversed order of SRC and DST RRS feed

  • Question

  • Hi there, 

    I have sysmon installed  on my windows server 2008 r2 (testing environment).

    The problem:

    in the logs, the local windows system, is always considered as "Source" and the other party is considered as "Destination".

    when a connection is initiated from the windows box to a remote system, it is totally fine, but when there is a connection from a remote system to our local machine, this behavior could be misleading in event viewer:

    in the following scenario, the Win Server has these ip addresses on 2 interfaces: (10.0.3.15) , (192.168.1.17) and the remote system in local network is: (192.168.1.2) 


    Case 1: Connection to the google website using IE:

    ===================================

    Network connection detected:
    RuleName: Usermode
    UtcTime: 2019-08-01 09:26:08.255
    ProcessGuid: {1c073786-b02d-5d42-0000-0010a4282000}
    ProcessId: 2816
    Image: C:\Program Files (x86)\Internet Explorer\iexplore.exe
    User: WIN-5265KREHC5H\Administrator
    Protocol: tcp
    Initiated: true
    SourceIsIpv6: false
    SourceIp: 10.0.3.15
    SourceHostname: WIN-5265KREHC5H
    SourcePort: 49242
    SourcePortName: 
    DestinationIsIpv6: false
    DestinationIp: 216.58.205.228
    DestinationHostname: fra15s24-in-f4.1e100.net
    DestinationPort: 80
    DestinationPortName: http

    ======================================

    Case 2: Connection to the local IIS from a host in internal network:

    ======================================

    Network connection detected:
    RuleName: NETCON
    UtcTime: 2019-08-01 09:28:18.524
    ProcessGuid: {1c073786-9266-5d42-0000-0010eb030000}
    ProcessId: 4
    Image: System
    User: NT AUTHORITY\SYSTEM
    Protocol: tcp
    Initiated: false
    SourceIsIpv6: false
    SourceIp: 192.168.1.17
    SourceHostname: WIN-5265KREHC5H
    SourcePort: 80
    SourcePortName: http
    DestinationIsIpv6: false
    DestinationIp: 192.168.1.2
    DestinationHostname: 
    DestinationPort: 60618
    DestinationPortName: 

    ============================================

    As you can see, aside from which system is connecting to which one, the windows server is always considered as "Source".

    Regards,

    Mohammad.

    Thursday, August 1, 2019 9:33 AM

Answers

  • Actually yes :-)

    I was able to reproduce this and trace it to an issue with the way that Sysmon processes accept() calls which is the scenario you are seeing. I have resolved this and it will be included with several other fixes/features in the forthcoming 10.3 release.

    MarkC (MSFT)

    • Marked as answer by M.Golyani Thursday, August 15, 2019 7:38 AM
    Tuesday, August 13, 2019 1:16 PM

All replies

  • Hi Mohammad

    thanks for reporting this. Would you mind sharing one of your log files with me so that I can look at the raw events? You can email me offline at syssite@microsoft.com

    MarkC(MSFT)

    Thursday, August 1, 2019 3:26 PM
  • Just mailed.
    Friday, August 2, 2019 10:30 AM
  • any news? :D
    Friday, August 9, 2019 12:06 PM
  • Actually yes :-)

    I was able to reproduce this and trace it to an issue with the way that Sysmon processes accept() calls which is the scenario you are seeing. I have resolved this and it will be included with several other fixes/features in the forthcoming 10.3 release.

    MarkC (MSFT)

    • Marked as answer by M.Golyani Thursday, August 15, 2019 7:38 AM
    Tuesday, August 13, 2019 1:16 PM
  • Great :D
    tnx ;o)
    Thursday, August 15, 2019 7:38 AM