Bug #1683
closedX-Forwarded-For (multiple IPs) - not reflected properly in the alert log
Description
When having a http request that has multiple IPs in X-Forwarded-For (reverse or froward mode) is not reflected in alert when using the following settings in the alert eve.json section for example -
xff:
enabled: yes
# Two operation modes are available, "extra-data" and "overwrite".
mode: overwrite
# Two proxy deployments are supported, "reverse" and "forward". In
# a "reverse" deployment the IP address used is the last one, in a
# "forward" deployment the first IP address is used.
deployment: forward
# Header name where the actual IP address will be reported, if more
# than one IP address is present, the last IP address will be the
# one taken into consideration.
header: X-Forwarded-For
the generated alert gets its src_ip overwritten for example when only one IP is present in the XFF header (as opposed to multiple).
Pcap shared privately
Updated by Victor Julien almost 10 years ago
I don't understand the issue. What are you expecting and what are you seeing? Please add log examples here.
Updated by Peter Manev almost 10 years ago
In the case where the http X-Frowarded-For field (as per the pcaps previously shared) - contains only one IP example:
.... Host: somehost.net Connection: keep-alive X-Forwarded-For: A.A.A.A ....
In that case above - with the configuration previously shown for eve.json xff's section - if we generate an alert for that http packet/request/etc.. - the alert is:
"event_type":"alert","src_ip":"A.A.A.A","src_port":42630,"dest_ip":"IP.IP.IP.IP","dest_port":80,"proto":"TCP".....
which works as expected.
Now if we have the same scenario as above but with this difference in the http X-Forwarded-For field"
.... Host: somehost.net Connection: keep-alive X-Forwarded-For: A.A.A.A, B.B.B.B, C.C.C.C, D.D.D.D ....
the alert is:
"event_type":"alert","src_ip":"IP.IP.IP.IP","src_port":42630,"dest_ip":"IP.IP.IP.IP","dest_port":80,"proto":"TCP".....
As opposed to :
"event_type":"alert","src_ip":"A.A.A.A","src_port":42630,"dest_ip":"IP.IP.IP.IP","dest_port":80,"proto":"TCP".....
In other words when the X-Forwarded-For http field contains a list of IPs - the generated alert information (pending eve.json xff's section is configured as previously described) does not overwrite the src_ip as expected.(with respect to "forward" and "reverse" deployment scenarios respectively)
Updated by Peter Manev over 9 years ago
- Status changed from New to Closed
This was fixed a while ago by - https://github.com/inliniac/suricata/pull/1878