Hi there!<br>
<br>
I am trying to implement support for XFF (X-Forwarded-For). As a first
step, I would like to modify the alert-debuglog.c to replace the srcip
of the triggered alert by the client IP address specified by the XFF
header, in case the XFF has been enabled at the suricata.yaml file and
the header is present in the request.<br>
<br>
I am inserting the XFF extraction code at the AlertDebugLogger function, right after:<br>
<br>
char srcip[46], dstip[46];<br>
<br>
if (PKT_IS_IPV4(p)) {<br>
PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), srcip, sizeof(srcip));<br>
PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), dstip, sizeof(dstip));<br>
} else if (PKT_IS_IPV6(p)) {<br>
PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), srcip, sizeof(srcip));<br>
PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), dstip, sizeof(dstip));<br>
} <br>
<br>
<br>
My code is currently:<br>
<br>
/* XFF Code */<br>
// strcpy(srcip,"0");<br>
if (aft->debuglog_ctx->flags & ALERT_DEBUGLOG_XFF) {<br>
// strcpy(srcip,"1");<br>
HtpState *htp_state=NULL;<br>
htp_tx_t *tx = NULL;<br>
htp_header_t *h_xff = NULL;<br>
size_t idx = 0;<br>
if (p->flow && AppLayerGetProtoFromPacket(p) == ALPROTO_HTTP && <br>
AppLayerTransactionGetLoggedId(p->flow) >= 0 &&<br>
HtpTransactionGetLoggableId(p->flow) >= 0) {<br>
// strcpy(srcip,"2");<br>
htp_state = (HtpState *) AppLayerGetProtoStateFromPacket(p);<br>
size_t logged = (size_t) AppLayerTransactionGetLoggedId(p->flow);<br>
size_t loggable = (size_t) HtpTransactionGetLoggableId(p->flow);<br>
if ( htp_state && htp_state->connp &&
htp_state->connp->conn && logged < loggable) {<br>
// strcpy(srcip,"3");<br>
for (idx = logged; idx < loggable; idx++) {<br>
// strcpy(srcip,"4");<br>
tx = list_get(htp_state->connp->conn->transactions, idx);<br>
if (tx != NULL && tx->request_headers != NULL) {<br>
// strcpy(srcip,"5");<br>
h_xff = table_getc(tx->request_headers, aft->debuglog_ctx->xff_header);<br>
if (h_xff != NULL) {<br>
// strcpy(srcip,"6");<br>
if (bstr_len(h_xff->value) > ALERT_DEBUGLOG_XFF_MINLEN - 1 &&<br>
bstr_len(h_xff->value) < 44) {<br>
strcpy(srcip,bstr_ptr(h_xff->value));<br>
// strcpy(srcip,"7");<br>
}<br>
}<br>
}<br>
}<br>
}<br>
}<br>
}<br>
<br>
The problem is that it never arrives to "step 3" because logged is
always >= loggable (even though the XFF header is present in the
request which triggered the alert). I suspect this happens because at
the point the alert is triggered, the http transaction is not yet
finished (it works fine in log-httplog). <br>
<br>
How should I modify the code to extract the XFF header, if available, even when the transaction is not finished?<br>
<br>
Thank you! Regards,<br>
<br>
<br>
Ignacio Sanchez