Project

General

Profile

Actions

Bug #2305

closed

unified2 alerts not including xff ips using extra-data mode

Added by Dan Humphries about 5 years ago. Updated 9 months ago.

Status:
Rejected
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Tested on Suricata 4.0.1

For an HTTP request with XFF headers, unified2 alert output does not include extra data events with XFF info.

Enabled XFF with extra-data mode configuration per: https://redmine.openinfosecfoundation.org/projects/suricata/repository/revisions/master/entry/suricata.yaml.in#L280
Full configuration file also attached.

Attached rules file is intended to trigger alerts for each packet.
Tested pcap and unified2 output also attached.

Note: Using overwrite mode worked as expected, only extra-data mode has this issue.


Files

suricata_tmpl.yaml (64.4 KB) suricata_tmpl.yaml configuration file Dan Humphries, 11/29/2017 12:26 PM
local.rules (203 Bytes) local.rules rules (intended to trigger on each packet) Dan Humphries, 11/29/2017 12:28 PM
xff-extradata.pcap (316 KB) xff-extradata.pcap pcap for single get request with XFF header Dan Humphries, 11/29/2017 12:30 PM
suricata.alert.1511973527 (20 KB) suricata.alert.1511973527 unified2 output Dan Humphries, 11/29/2017 12:33 PM
Actions

Also available in: Atom PDF