[Oisf-devel] Help with XFF
Victor Julien
victor at inliniac.net
Thu Aug 23 10:49:27 UTC 2012
On 08/15/2012 03:42 PM, Martin Holste wrote:
>>> - Overwrite the srcip of the logged packet by the XFF IP if the
>>> suricata administrator decides to activate this feature via the
>>> suricata.yaml file.
>>> -- Pros: simple to implement, no need to modify barnyard2
>>> -- Cons: we overwrite the original IP (however if the suricata
>>> administrator decides to activate this feature it is because there is a
>>> reverse proxy which performs SNAT and terminates the HTTP or HTTPS
>>> inbound connections and adds the XFF header, so I see no need to keep
>>> the actual src ip - the one of the reverse proxy)
>>
>> I don't like this solution.
>
> I don't either, but it's the best one. Even if the unified2 format
> were changed to record this info, no consoles are going to show them
> the XFF. From a developer's perspective, it's a terrible idea, but as
> an incident responder, it's necessary to provide value to the IR team.
>
I guess if we go this way we should like it with either our libhtp
config or the address variables so that we're not replacing this on
untrusted input. Would be great way to fool IR.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-devel
mailing list