Project

General

Profile

Actions

Feature #2519

open

XFF iprep support

Added by chris lujan almost 6 years ago. Updated about 5 years ago.

Status:
New
Priority:
Normal
Target version:
Effort:
medium
Difficulty:
high
Label:

Description

I have made many attempts and I am fairly confident that when xff is enabled (in overwrite mode), iprep is not applied to the overwritten field and does not alert.
My method of testing was:
1) GET / request to the webserver behind the load-balancer from a tor-browser (using an IP in iprep list), no alerts.
2) GET /uid=0(root) gid=0(root) groups=0(root) request to the webserver behind the load-balancer from a tor-browser (using an IP in iprep list), GPL ATTACK_RESPONSE id check returned root alert present, XFF ip present in src_ip field (src_ip found in iprep files).
3) Make GET request to IP found in iprep list (ET TOR Known Tor Exit Node Traffic group 7 && OTX internal host talking to host known in pulse alerted).
4) Change iprep rule from $HOME_NET any -> any any to any any -> any any, retry steps 1-3, same results.

Actions #1

Updated by Andreas Herz almost 6 years ago

  • Assignee set to Anonymous
  • Target version set to TBD

could you prepare a pcap?

Actions #2

Updated by Victor Julien almost 6 years ago

  • Tracker changed from Bug to Feature
  • Effort set to medium
  • Difficulty set to high
  • Affected Versions deleted (4.0.4)

XFF is currently only used for output. Detection support would mean the detection engine would need to become aware of XFF.

Actions #3

Updated by Andreas Herz about 5 years ago

  • Assignee set to Community Ticket
Actions

Also available in: Atom PDF