[Oisf-devel] Help with XFF

I. Sanchez sanchezmartin.ji at gmail.com
Thu Jul 19 15:41:43 UTC 2012


Hi Anoop,

Thank you for the information. I have rewritten the code like you suggested
and it is working OK now.

As regards the alert-debug I can indeed write the XFF IP without
overwriting the srcip, however my final goal is to add the XFF IP to the
unified2 alerts.

As discussed at https://redmine.openinfosecfoundation.org/issues/478 there
are 2 ways we can do this:

- Modify the current unified2 format used by suricata to support extrahdrs
and include the XFF IP in there (like snort does)
  -- Pros: we keep the original srcip of the packet untouched
  -- Cons: barnyard2 does not support the processing of these extrahdr
records; we have to modify the current unified2 format used by suricata

-  Overwrite the srcip of the logged packet by the XFF IP if the suricata
administrator decides to activate this feature via the suricata.yaml file.
  -- Pros: simple to implement, no need to modify barnyard2
  -- Cons: we overwrite the original IP (however if the suricata
administrator decides to activate this feature it is because there is a
reverse proxy which performs SNAT and terminates the HTTP or HTTPS inbound
connections and adds the XFF header, so I see no need to keep the actual
src ip - the one of the reverse proxy)

We could also do it both ways, and let the user decide...

Regards,

On Thu, Jul 19, 2012 at 4:15 PM, Anoop Saldanha <anoopsaldanha at gmail.com>wrote:

> Hi Ignacio,
>
> On Wed, Jul 18, 2012 at 9:17 PM, I. Sanchez <sanchezmartin.ji at gmail.com>
> wrote:
> > Hi there!
> >
> > I am trying to implement support for XFF (X-Forwarded-For). As a first
> step,
> > I would like to modify the alert-debuglog.c to replace the srcip of the
> > triggered alert by the client IP address specified by the XFF header, in
> > case the XFF has been enabled at the suricata.yaml file and the header is
> > present in the request.
>
> What does this conf variable in the yaml allow?
>
> Replacing the srcip for the packet is wrong, since the info printed is
> not the srcip for the packet, but we will end up presenting the wrong
> ip as the packet srcip.  The right thing would be to check if XFF is
> present in the http state and if yes, print the ip specified by the
> the header separately.
>
> if (XFF-header present) {
>     MemBufferWrite("XFF-header: srcip");
> }
>
> >
> > I am inserting the XFF extraction code at the AlertDebugLogger function,
> > right after:
> >
> >     char srcip[46], dstip[46];
> >
> >     if (PKT_IS_IPV4(p)) {
> >         PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), srcip,
> > sizeof(srcip));
> >         PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), dstip,
> > sizeof(dstip));
> >     } else if (PKT_IS_IPV6(p)) {
> >         PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), srcip,
> > sizeof(srcip));
> >         PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), dstip,
> > sizeof(dstip));
> >     }
> >
> >
> > My code is currently:
> >
> >     /* XFF Code */
> >     // strcpy(srcip,"0");
> >     if (aft->debuglog_ctx->flags & ALERT_DEBUGLOG_XFF) {
> >         // strcpy(srcip,"1");
> >         HtpState *htp_state=NULL;
> >         htp_tx_t *tx = NULL;
> >         htp_header_t *h_xff = NULL;
> >         size_t idx = 0;
> >         if (p->flow && AppLayerGetProtoFromPacket(p) == ALPROTO_HTTP &&
> >                         AppLayerTransactionGetLoggedId(p->flow) >= 0 &&
> >                         HtpTransactionGetLoggableId(p->flow) >= 0) {
> >             // strcpy(srcip,"2");
> >             htp_state = (HtpState *) AppLayerGetProtoStateFromPacket(p);
> >             size_t logged = (size_t)
> > AppLayerTransactionGetLoggedId(p->flow);
> >             size_t loggable = (size_t)
> HtpTransactionGetLoggableId(p->flow);
> >             if ( htp_state && htp_state->connp && htp_state->connp->conn
> &&
> > logged < loggable) {
> >                 // strcpy(srcip,"3");
> >                 for (idx = logged; idx < loggable; idx++) {
> >                     // strcpy(srcip,"4");
> >                     tx = list_get(htp_state->connp->conn->transactions,
> > idx);
> >                     if (tx != NULL && tx->request_headers != NULL) {
> >                         // strcpy(srcip,"5");
> >                         h_xff = table_getc(tx->request_headers,
> > aft->debuglog_ctx->xff_header);
> >                         if (h_xff != NULL) {
> >                             // strcpy(srcip,"6");
> >                             if (bstr_len(h_xff->value) >
> > ALERT_DEBUGLOG_XFF_MINLEN - 1 &&
> >
> > bstr_len(h_xff->value) < 44) {
> >                                 strcpy(srcip,bstr_ptr(h_xff->value));
> >                                 // strcpy(srcip,"7");
> >                             }
> >                         }
> >                     }
> >                 }
> >             }
> >         }
> >     }
> >
> > The problem is that it never arrives to "step 3" because logged is
> always >=
> > loggable (even though the XFF header is present in the request which
> > triggered the alert). I suspect this happens because at the point the
> alert
> > is triggered, the http transaction is not yet finished (it works fine in
> > log-httplog).
> >
> > How should I modify the code to extract the XFF header, if available,
> even
> > when the transaction is not finished?
> >
>
> Debuglog depends on the presence of alerts and I see no way around it.
>  Instead you can retrieve the available transactions from the
> htp_state, pick the one which has the xff header and you have the ip
> you need.
>
> int size = (int)list_size(htp_state->connp->conn->transactions);
> for (idx = 0; idx < size; idx++) {
>
>     tx = list_get(htp_state->connp->conn->transactions, idx);
>     if (tx == NULL)
>         continue;
>
>     if (tx has xff_header)
>         break;
>     tx = NULL;
> }
>
> if (tx != NULL) {
>     /* this tx has the xff header set.  use the ip */
>     xff_ip = retrieve_xff_header_value_for_tx(tx);
> }
>
> > Thank you! Regards,
> >
> >
> >   Ignacio Sanchez
> > _______________________________________________
> > Oisf-devel mailing list
> > Oisf-devel at openinfosecfoundation.org
> > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>
>
>
> --
> Anoop Saldanha
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20120719/ebfa17b6/attachment-0002.html>


More information about the Oisf-devel mailing list