[Oisf-devel] Help with XFF
Martin Holste
mcholste at gmail.com
Wed Aug 15 13:42:13 UTC 2012
>> - Overwrite the srcip of the logged packet by the XFF IP if the
>> suricata administrator decides to activate this feature via the
>> suricata.yaml file.
>> -- Pros: simple to implement, no need to modify barnyard2
>> -- Cons: we overwrite the original IP (however if the suricata
>> administrator decides to activate this feature it is because there is a
>> reverse proxy which performs SNAT and terminates the HTTP or HTTPS
>> inbound connections and adds the XFF header, so I see no need to keep
>> the actual src ip - the one of the reverse proxy)
>
> I don't like this solution.
I don't either, but it's the best one. Even if the unified2 format
were changed to record this info, no consoles are going to show them
the XFF. From a developer's perspective, it's a terrible idea, but as
an incident responder, it's necessary to provide value to the IR team.
More information about the Oisf-devel
mailing list