Project

General

Profile

Actions

Bug #2305

closed

unified2 alerts not including xff ips using extra-data mode

Added by Dan Humphries over 6 years ago. Updated about 2 years ago.

Status:
Rejected
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Tested on Suricata 4.0.1

For an HTTP request with XFF headers, unified2 alert output does not include extra data events with XFF info.

Enabled XFF with extra-data mode configuration per: https://redmine.openinfosecfoundation.org/projects/suricata/repository/revisions/master/entry/suricata.yaml.in#L280
Full configuration file also attached.

Attached rules file is intended to trigger alerts for each packet.
Tested pcap and unified2 output also attached.

Note: Using overwrite mode worked as expected, only extra-data mode has this issue.


Files

suricata_tmpl.yaml (64.4 KB) suricata_tmpl.yaml configuration file Dan Humphries, 11/29/2017 12:26 PM
local.rules (203 Bytes) local.rules rules (intended to trigger on each packet) Dan Humphries, 11/29/2017 12:28 PM
xff-extradata.pcap (316 KB) xff-extradata.pcap pcap for single get request with XFF header Dan Humphries, 11/29/2017 12:30 PM
suricata.alert.1511973527 (20 KB) suricata.alert.1511973527 unified2 output Dan Humphries, 11/29/2017 12:33 PM
Actions #1

Updated by Andreas Herz over 6 years ago

  • Assignee set to Anonymous
  • Target version set to TBD
Actions #2

Updated by Andreas Herz about 5 years ago

  • Assignee set to Community Ticket
Actions #3

Updated by Andreas Herz over 4 years ago

unified2 will be deprecated, can you test with EVE json?

Actions #4

Updated by Jason Ish about 2 years ago

  • Status changed from New to Rejected

Closing with a status of rejected as this won't be fixed. Unified2 was removed in the 6.0 release: https://redmine.openinfosecfoundation.org/issues/2385

Actions

Also available in: Atom PDF