Bug #1683
closedX-Forwarded-For (multiple IPs) - not reflected properly in the alert log
Description
When having a http request that has multiple IPs in X-Forwarded-For (reverse or froward mode) is not reflected in alert when using the following settings in the alert eve.json section for example -
xff:
enabled: yes
# Two operation modes are available, "extra-data" and "overwrite".
mode: overwrite
# Two proxy deployments are supported, "reverse" and "forward". In
# a "reverse" deployment the IP address used is the last one, in a
# "forward" deployment the first IP address is used.
deployment: forward
# Header name where the actual IP address will be reported, if more
# than one IP address is present, the last IP address will be the
# one taken into consideration.
header: X-Forwarded-For
the generated alert gets its src_ip overwritten for example when only one IP is present in the XFF header (as opposed to multiple).
Pcap shared privately
Updated by Victor Julien about 8 years ago
I don't understand the issue. What are you expecting and what are you seeing? Please add log examples here.
Updated by Peter Manev about 8 years ago
In the case where the http X-Frowarded-For field (as per the pcaps previously shared) - contains only one IP example:
.... Host: somehost.net Connection: keep-alive X-Forwarded-For: A.A.A.A ....
In that case above - with the configuration previously shown for eve.json xff's section - if we generate an alert for that http packet/request/etc.. - the alert is:
"event_type":"alert","src_ip":"A.A.A.A","src_port":42630,"dest_ip":"IP.IP.IP.IP","dest_port":80,"proto":"TCP".....
which works as expected.
Now if we have the same scenario as above but with this difference in the http X-Forwarded-For field"
.... Host: somehost.net Connection: keep-alive X-Forwarded-For: A.A.A.A, B.B.B.B, C.C.C.C, D.D.D.D ....
the alert is:
"event_type":"alert","src_ip":"IP.IP.IP.IP","src_port":42630,"dest_ip":"IP.IP.IP.IP","dest_port":80,"proto":"TCP".....
As opposed to :
"event_type":"alert","src_ip":"A.A.A.A","src_port":42630,"dest_ip":"IP.IP.IP.IP","dest_port":80,"proto":"TCP".....
In other words when the X-Forwarded-For http field contains a list of IPs - the generated alert information (pending eve.json xff's section is configured as previously described) does not overwrite the src_ip as expected.(with respect to "forward" and "reverse" deployment scenarios respectively)
Updated by Peter Manev almost 8 years ago
- Status changed from New to Closed
This was fixed a while ago by - https://github.com/inliniac/suricata/pull/1878