Actions
Bug #1683
closedX-Forwarded-For (multiple IPs) - not reflected properly in the alert log
Affected Versions:
Effort:
Difficulty:
Label:
Description
When having a http request that has multiple IPs in X-Forwarded-For (reverse or froward mode) is not reflected in alert when using the following settings in the alert eve.json section for example -
xff: enabled: yes # Two operation modes are available, "extra-data" and "overwrite". mode: overwrite # Two proxy deployments are supported, "reverse" and "forward". In # a "reverse" deployment the IP address used is the last one, in a # "forward" deployment the first IP address is used. deployment: forward # Header name where the actual IP address will be reported, if more # than one IP address is present, the last IP address will be the # one taken into consideration. header: X-Forwarded-For
the generated alert gets its src_ip overwritten for example when only one IP is present in the XFF header (as opposed to multiple).
Pcap shared privately
Actions