XFF iprep support
I have made many attempts and I am fairly confident that when xff is enabled (in overwrite mode), iprep is not applied to the overwritten field and does not alert.
My method of testing was:
GET / request to the webserver behind the load-balancer from a tor-browser (using an IP in iprep list), no alerts.
GET /uid=0(root) gid=0(root) groups=0(root) request to the webserver behind the load-balancer from a tor-browser (using an IP in iprep list),
GPL ATTACK_RESPONSE id check returned root alert present, XFF ip present in
src_ip field (src_ip found in iprep files).
GET request to IP found in iprep list (
ET TOR Known Tor Exit Node Traffic group 7 &&
OTX internal host talking to host known in pulse alerted).
4) Change iprep rule from
$HOME_NET any -> any any to
any any -> any any, retry steps 1-3, same results.
Updated by Victor Julien about 3 years ago
- Tracker changed from Bug to Feature
- Effort set to medium
- Difficulty set to high
- Affected Versions deleted (
XFF is currently only used for output. Detection support would mean the detection engine would need to become aware of XFF.