Bug #1683: X-Forwarded-For (multiple IPs) - not reflected properly in the alert log - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #1683

closed

X-Forwarded-For (multiple IPs) - not reflected properly in the alert log

Added by Peter Manev over 8 years ago. Updated almost 8 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Eric Leblond

Target version:

Affected Versions:

Effort:

Difficulty:

Label:

Description

When having a http request that has multiple IPs in X-Forwarded-For (reverse or froward mode) is not reflected in alert when using the following settings in the alert eve.json section for example -

            xff:
              enabled: yes
              # Two operation modes are available, "extra-data" and "overwrite".
              mode: overwrite
              # Two proxy deployments are supported, "reverse" and "forward". In
              # a "reverse" deployment the IP address used is the last one, in a
              # "forward" deployment the first IP address is used.
              deployment: forward
              # Header name where the actual IP address will be reported, if more
              # than one IP address is present, the last IP address will be the
              # one taken into consideration.
              header: X-Forwarded-For

the generated alert gets its src_ip overwritten for example when only one IP is present in the XFF header (as opposed to multiple).

Pcap shared privately

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Bug #1683

X-Forwarded-For (multiple IPs) - not reflected properly in the alert log

Updated by Victor Julien about 8 years ago

Updated by Peter Manev about 8 years ago

Updated by Eric Leblond about 8 years ago

Updated by Peter Manev almost 8 years ago