<p dir="ltr">Hi Peter,</p>
<p dir="ltr">Ignacio passed the balll on that one for me. In the Suricata GitHub you have a pull request for the newest version with the comments addressed. </p>
<p dir="ltr">Best regards,<br>
Duarte</p>
<div class="gmail_quote">On 27 Aug 2013 08:03, "Peter Manev" <<a href="mailto:petermanev@gmail.com">petermanev@gmail.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
On Mon, Aug 26, 2013 at 9:24 PM, Cooper F. Nelson <<a href="mailto:cnelson@ucsd.edu">cnelson@ucsd.edu</a>> wrote:<br>
> -----BEGIN PGP SIGNED MESSAGE-----<br>
> Hash: SHA1<br>
><br>
> Http.log will just log the contents of the X-Forwaded-For header.<br>
><br>
> What I'm looking for is something like the Apache mod_rpaf feature:<br>
><br>
>> <a href="http://kasunh.wordpress.com/2011/10/11/preserving-remote-iphost-while-proxying/" target="_blank">http://kasunh.wordpress.com/2011/10/11/preserving-remote-iphost-while-proxying/</a><br>
><br>
> So yes, as you mentioned something like a libhtp directive that would<br>
> pass the contents of the X-Forwarded-For header as the source IP to the<br>
> logging module.<br>
><br>
> There is something similar in development already:<br>
><br>
>> <a href="https://redmine.openinfosecfoundation.org/issues/478" target="_blank">https://redmine.openinfosecfoundation.org/issues/478</a><br>
<br>
ahh yes, I almost forgot about this feature. It is almost ready btw<br>
(90%) - I will try to ping Ignacio and  see what is needed to finish<br>
it.<br>
<br>
><br>
> I think the issue is if I remember correctly from this discussion re:<br>
> snort, is that they don't want to change behavior of the 'fast' output<br>
> in any major way.  So, for example, the source IP logged is always the<br>
> source IP of the logged packet, never anything else.<br>
><br>
> Thinking about it this is probably the right thing to do.<br>
<br>
I think it is the right thing to do, unless of course there are better<br>
ways/ideas.... ?<br>
<br>
><br>
> - -Coop<br>
><br>
> On 8/26/2013 10:56 AM, Peter Manev wrote:<br>
>><br>
>> P.S.  Would be nice if libhtp had the feature to "follow<br>
>> X-Forwared-For" to allow logging of origin IPs.<br>
>><br>
>>> http.log has that custom logging feature(X-Forwarded...). Is this<br>
>>> what you have in mind or you mean more like an "alert" log<br>
>>> feature?<br>
>><br>
><br>
> - --<br>
> Cooper Nelson<br>
> Network Security Analyst<br>
> UCSD ACT Security Team<br>
> <a href="mailto:cnelson@ucsd.edu">cnelson@ucsd.edu</a> x41042<br>
> -----BEGIN PGP SIGNATURE-----<br>
> Version: GnuPG v2.0.17 (MingW32)<br>
> Comment: Using GnuPG with Thunderbird - <a href="http://www.enigmail.net/" target="_blank">http://www.enigmail.net/</a><br>
><br>
> iQEcBAEBAgAGBQJSG510AAoJEKIFRYQsa8FWaVwH/1z8s9Uj/rkL4Sk/QGvkzY7H<br>
> FH2GA2Bq2U5gbez+H5F9ZJ/4PSeSs1753ZbbA8YT/lp7bHy/TDgByhJ77hdCyB5D<br>
> xUzUQobC65V/h9y7egXqVijNiKIW2a+fO3uhgYdNDGj3qXXNHyPRamIuakIflhC5<br>
> m0jo80PLiaFcHvFAHt7alzaPbig1vsEjpnziDtyYyndsJiSD8AuSknH7wA8QWknG<br>
> uyofVZnAf3FKpUmkOBc9bXEm5yTrvuupC0WZiaypn45ar5cDf5ppWZOEx+t3TTQV<br>
> SkWh34tub3qFjKk7Kk08QIgEdKUa81exD3HIk7+JuO5B6uYJcvT1sf32Tes9YAk=<br>
> =/T32<br>
> -----END PGP SIGNATURE-----<br>
<br>
<br>
<br>
--<br>
Regards,<br>
Peter Manev<br>
_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
OISF: <a href="http://www.openinfosecfoundation.org/" target="_blank">http://www.openinfosecfoundation.org/</a><br>
</blockquote></div>