[Oisf-devel] Help with XFF
Victor Julien
victor at inliniac.net
Wed Aug 15 10:05:37 UTC 2012
On 07/19/2012 05:41 PM, I. Sanchez wrote:
> - Modify the current unified2 format used by suricata to support
> extrahdrs and include the XFF IP in there (like snort does)
> -- Pros: we keep the original srcip of the packet untouched
> -- Cons: barnyard2 does not support the processing of these extrahdr
> records; we have to modify the current unified2 format used by suricata
Yeah this is the way to go. Not sure how far Barnyard2 is in developing
support for it, but we can probably help them out if necessary.
> - Overwrite the srcip of the logged packet by the XFF IP if the
> suricata administrator decides to activate this feature via the
> suricata.yaml file.
> -- Pros: simple to implement, no need to modify barnyard2
> -- Cons: we overwrite the original IP (however if the suricata
> administrator decides to activate this feature it is because there is a
> reverse proxy which performs SNAT and terminates the HTTP or HTTPS
> inbound connections and adds the XFF header, so I see no need to keep
> the actual src ip - the one of the reverse proxy)
I don't like this solution.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-devel
mailing list