Project

General

Profile

Actions
Copy link

Bug #2305

closed

unified2 alerts not including xff ips using extra-data mode

Added by Dan Humphries almost 7 years ago. Updated over 2 years ago.

Status:
Rejected
Priority:
Normal
Assignee:
Community Ticket
Target version:
TBD
Affected Versions:
Effort:
Difficulty:
Label:

Description

Tested on Suricata 4.0.1

For an HTTP request with XFF headers, unified2 alert output does not include extra data events with XFF info.

Enabled XFF with extra-data mode configuration per: https://redmine.openinfosecfoundation.org/projects/suricata/repository/revisions/master/entry/suricata.yaml.in#L280
Full configuration file also attached.

Attached rules file is intended to trigger alerts for each packet.
Tested pcap and unified2 output also attached.

Note: Using overwrite mode worked as expected, only extra-data mode has this issue.

Files

Download all files
suricata_tmpl.yaml (64.4 KB) suricata_tmpl.yaml configuration file Dan Humphries, 11/29/2017 12:26 PM
local.rules (203 Bytes) local.rules rules (intended to trigger on each packet) Dan Humphries, 11/29/2017 12:28 PM
xff-extradata.pcap (316 KB) xff-extradata.pcap pcap for single get request with XFF header Dan Humphries, 11/29/2017 12:30 PM
suricata.alert.1511973527 (20 KB) suricata.alert.1511973527 unified2 output Dan Humphries, 11/29/2017 12:33 PM
Actions
Copy link

Also available in: Atom PDF