Source versus Destination in event 5156 Expand / Collapse
Author
Message
Posted 5/3/2010 5:19:56 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 3/2/2011 10:43:10 AM
Posts: 4, Visits: 2
Hi All,

I was just looking at a 5156 event, and I noticed something a bit strange about it. We are using a security log retrieval tool.It connects to our boxes via port 445. When I review the events on the actual machine, the event entry says "Network Information:
Direction: Inbound
Source Address: 10.XXX.XXX.XXX
Source Port: 445
Destination Address: 10.XXX.XXX.XXX
Destination Port: 36112
Protocol: 6
The strange thing is that it appears as if the log has it the wrong way around.The source address is entered as the local box, and the destination is the actual source box where the connection was initiated from.Literally the opposite way around. Logic would say the source box shoudl be the box that actually wants to connect.
Anyone else seen this yet?
Post #369
Posted 5/4/2010 7:06:30 PM
Expert

ExpertExpertExpertExpertExpertExpertExpertExpert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0
it does indeed appear to be reversed!
Post #372
Posted 1/31/2014 3:47:41 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 2/10/2014 3:26:52 PM
Posts: 4, Visits: 11
I have noticed the same thing on a lot of my systems.  I temporarily enabled auditing for Successful connections, and see that the Source/Destination IP and Source/Destination Port for Inbound connections seem to be reversed.

For example, when browsing to a website on a server, the Source IP is the server itself and Source Port is 80.  The destination IP/Port is actually the IP of the workstation accessing the website.  To me, on the server for an Inbound connection, I would have thought the Destination IP/Port would be the web server IP/80.

Is it supposed to be this (reversed) way?

Post #1315
Posted 2/2/2014 2:31:08 PM
Supreme Being

Supreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme Being

Group: Moderators
Last Login: 11/14/2013 3:17:47 PM
Posts: 237, Visits: 0
I believe you are looking at the inbound connection from the Web Server.

"when browsing to a website on a server, the Source IP is the server itself and Source Port is 80"

The connection from the web server back to the workstation will have a source port of 80 and Source IP of the web server. The connection from the Webserver will also have a destination IP/Port of the Workstation.
Post #1318
Posted 10/27/2017 4:09:55 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 3/2/2011 10:43:10 AM
Posts: 4, Visits: 2
Revisiting this eventcode related to something else, searching the internet for clues and finding myself having asked the same question, 7 years ago.
Post #7422
Posted 5/22/2018 5:20:52 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 5/22/2018 7:50:27 AM
Posts: 1, Visits: 2
It's not a bug.
Source means Local, and Destination means Remote.
That's why for an inbound connection, Source and Destination seems reverse.

More information: [url=https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5156][/url]
Post #7476
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 6:04pm