Project

General

Profile

Actions

Feature #2519

open

XFF iprep support

Added by chris lujan over 4 years ago. Updated over 3 years ago.

Status:
New
Priority:
Normal
Target version:
Effort:
medium
Difficulty:
high
Label:

Description

I have made many attempts and I am fairly confident that when xff is enabled (in overwrite mode), iprep is not applied to the overwritten field and does not alert.
My method of testing was:
1) GET / request to the webserver behind the load-balancer from a tor-browser (using an IP in iprep list), no alerts.
2) GET /uid=0(root) gid=0(root) groups=0(root) request to the webserver behind the load-balancer from a tor-browser (using an IP in iprep list), GPL ATTACK_RESPONSE id check returned root alert present, XFF ip present in src_ip field (src_ip found in iprep files).
3) Make GET request to IP found in iprep list (ET TOR Known Tor Exit Node Traffic group 7 && OTX internal host talking to host known in pulse alerted).
4) Change iprep rule from $HOME_NET any -> any any to any any -> any any, retry steps 1-3, same results.

Actions

Also available in: Atom PDF