Project

General

Profile

Actions
Copy link

Bug #1683

closed
PM EL

X-Forwarded-For (multiple IPs) - not reflected properly in the alert log

Bug #1683: X-Forwarded-For (multiple IPs) - not reflected properly in the alert log

Added by Peter Manev about 10 years ago. Updated almost 10 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Eric Leblond
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:

Description

When having a http request that has multiple IPs in X-Forwarded-For (reverse or froward mode) is not reflected in alert when using the following settings in the alert eve.json section for example - 

            xff:
              enabled: yes
              # Two operation modes are available, "extra-data" and "overwrite".
              mode: overwrite
              # Two proxy deployments are supported, "reverse" and "forward". In
              # a "reverse" deployment the IP address used is the last one, in a
              # "forward" deployment the first IP address is used.
              deployment: forward
              # Header name where the actual IP address will be reported, if more
              # than one IP address is present, the last IP address will be the
              # one taken into consideration.
              header: X-Forwarded-For

the generated alert gets its src_ip overwritten for example when only one IP is present in the XFF header (as opposed to multiple).

Pcap shared privately

VJ Updated by Victor Julien about 10 years ago Actions
Copy link
 #1

I don't understand the issue. What are you expecting and what are you seeing? Please add log examples here.

PM Updated by Peter Manev about 10 years ago Actions
Copy link
 #2

In the case where the http X-Frowarded-For field (as per the pcaps previously shared) - contains only one IP example:

....
Host: somehost.net
Connection: keep-alive
X-Forwarded-For: A.A.A.A
....

In that case above - with the configuration previously shown for eve.json xff's section - if we generate an alert for that http packet/request/etc.. - the alert is:

"event_type":"alert","src_ip":"A.A.A.A","src_port":42630,"dest_ip":"IP.IP.IP.IP","dest_port":80,"proto":"TCP".....

which works as expected.

Now if we have the same scenario as above but with this difference in the http X-Forwarded-For field" 

....
Host: somehost.net
Connection: keep-alive
X-Forwarded-For: A.A.A.A, B.B.B.B, C.C.C.C, D.D.D.D
....

the alert is:

"event_type":"alert","src_ip":"IP.IP.IP.IP","src_port":42630,"dest_ip":"IP.IP.IP.IP","dest_port":80,"proto":"TCP".....

As opposed to :

"event_type":"alert","src_ip":"A.A.A.A","src_port":42630,"dest_ip":"IP.IP.IP.IP","dest_port":80,"proto":"TCP".....

In other words when the X-Forwarded-For http field contains a list of IPs - the generated alert information (pending eve.json xff's section is configured as previously described) does not overwrite the src_ip as expected.(with respect to "forward" and "reverse" deployment scenarios respectively)

EL Updated by Eric Leblond about 10 years ago Actions
Copy link
 #3

  • Assignee set to Eric Leblond

PM Updated by Peter Manev almost 10 years ago Actions
Copy link
 #4

  • Status changed from New to Closed

This was fixed a while ago by - https://github.com/inliniac/suricata/pull/1878

Actions
Copy link

Also available in: PDF Atom