Bug #2305
closedunified2 alerts not including xff ips using extra-data mode
Description
Tested on Suricata 4.0.1
For an HTTP request with XFF headers, unified2 alert output does not include extra data events with XFF info.
Enabled XFF with extra-data mode configuration per: https://redmine.openinfosecfoundation.org/projects/suricata/repository/revisions/master/entry/suricata.yaml.in#L280
Full configuration file also attached.
Attached rules file is intended to trigger alerts for each packet.
Tested pcap and unified2 output also attached.
Note: Using overwrite mode worked as expected, only extra-data mode has this issue.
Files
Updated by Andreas Herz about 7 years ago
- Assignee set to Anonymous
- Target version set to TBD
Updated by Andreas Herz over 5 years ago
unified2 will be deprecated, can you test with EVE json?
Updated by Jason Ish over 2 years ago
- Status changed from New to Rejected
Closing with a status of rejected as this won't be fixed. Unified2 was removed in the 6.0 release: https://redmine.openinfosecfoundation.org/issues/2385