<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:Calibri
}
--></style></head>
<body class='hmmessage'><div dir='ltr'><span style="color: rgb(68, 68, 68); font-size: 15px; line-height: 21.3px; background-color: rgb(255, 255, 255);">Hello oisf-users,</span><div style="line-height: 21.3px; color: rgb(68, 68, 68); font-size: 15px; background-color: rgb(255, 255, 255);"><br style="line-height: 21.3px;"><div style="line-height: 21.3px;">I am using Suricata version 3.0dev (rev 44a444b) and have trouble using the XFF feature.</div><div style="line-height: 21.3px;">I have enabled it on the EVE log in overwrite mode but I still see the src_ip being the internal IP address.</div><div style="line-height: 21.3px;"><span style="line-height: 22.72px; font-size: 12pt;"><br style="line-height: 22.72px;"></span></div><div style="line-height: 21.3px;"><span style="line-height: 22.72px; font-size: 12pt;">I took a pcap trace and I see that the X-Forwarded-For field is there and well set.</span></div><div style="line-height: 21.3px;">Here is what I receive from Suricata:</div><div style="line-height: 21.3px;"><br style="line-height: 21.3px;"></div><div style="line-height: 21.3px;"><div style="line-height: 21.3px;">{"timestamp":"2016-01-19T11:30:09.288203+0000","flow_id":30630416,"in_iface":"eth0","event_type":"http","src_ip":"172.11.0.19","src_port":48647,"dest_ip":"172.11.1.181","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"tmp.test.net","url":"\/test008\/status","http_user_agent":"curl\/7.38.0","xff":"X.X.X.X","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":862}}</div><div style="line-height: 22.72px; font-size: 12pt;"><br style="line-height: 22.72px;"></div></div><div style="line-height: 22.72px; font-size: 12pt;">I would expect that the src_ip field contains the value of the xff field.</div><div style="line-height: 22.72px; font-size: 12pt;">I tried to set the deployment field from the "reverse" default value to "forward" but I don't see any difference.</div><div style="line-height: 22.72px; font-size: 12pt;">Can you please help me? Maybe I am missing something!</div><div style="line-height: 22.72px; font-size: 12pt;"><br style="line-height: 22.72px;"></div><div style="line-height: 22.72px; font-size: 12pt;">Thank you.</div><div style="line-height: 22.72px; font-size: 12pt;"><br style="line-height: 22.72px;"></div><div style="line-height: 22.72px; font-size: 12pt;">Emm</div></div>                                          </div></body>
</html>