[Oisf-devel] Help with XFF
I. Sanchez
sanchezmartin.ji at gmail.com
Thu Jul 19 15:41:43 UTC 2012
Hi Anoop,
Thank you for the information. I have rewritten the code like you suggested
and it is working OK now.
As regards the alert-debug I can indeed write the XFF IP without
overwriting the srcip, however my final goal is to add the XFF IP to the
unified2 alerts.
As discussed at https://redmine.openinfosecfoundation.org/issues/478 there
are 2 ways we can do this:
- Modify the current unified2 format used by suricata to support extrahdrs
and include the XFF IP in there (like snort does)
-- Pros: we keep the original srcip of the packet untouched
-- Cons: barnyard2 does not support the processing of these extrahdr
records; we have to modify the current unified2 format used by suricata
- Overwrite the srcip of the logged packet by the XFF IP if the suricata
administrator decides to activate this feature via the suricata.yaml file.
-- Pros: simple to implement, no need to modify barnyard2
-- Cons: we overwrite the original IP (however if the suricata
administrator decides to activate this feature it is because there is a
reverse proxy which performs SNAT and terminates the HTTP or HTTPS inbound
connections and adds the XFF header, so I see no need to keep the actual
src ip - the one of the reverse proxy)
We could also do it both ways, and let the user decide...
Regards,
On Thu, Jul 19, 2012 at 4:15 PM, Anoop Saldanha <anoopsaldanha at gmail.com>wrote:
> Hi Ignacio,
>
> On Wed, Jul 18, 2012 at 9:17 PM, I. Sanchez <sanchezmartin.ji at gmail.com>
> wrote:
> > Hi there!
> >
> > I am trying to implement support for XFF (X-Forwarded-For). As a first
> step,
> > I would like to modify the alert-debuglog.c to replace the srcip of the
> > triggered alert by the client IP address specified by the XFF header, in
> > case the XFF has been enabled at the suricata.yaml file and the header is
> > present in the request.
>
> What does this conf variable in the yaml allow?
>
> Replacing the srcip for the packet is wrong, since the info printed is
> not the srcip for the packet, but we will end up presenting the wrong
> ip as the packet srcip. The right thing would be to check if XFF is
> present in the http state and if yes, print the ip specified by the
> the header separately.
>
> if (XFF-header present) {
> MemBufferWrite("XFF-header: srcip");
> }
>
> >
> > I am inserting the XFF extraction code at the AlertDebugLogger function,
> > right after:
> >
> > char srcip[46], dstip[46];
> >
> > if (PKT_IS_IPV4(p)) {
> > PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), srcip,
> > sizeof(srcip));
> > PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), dstip,
> > sizeof(dstip));
> > } else if (PKT_IS_IPV6(p)) {
> > PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), srcip,
> > sizeof(srcip));
> > PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), dstip,
> > sizeof(dstip));
> > }
> >
> >
> > My code is currently:
> >
> > /* XFF Code */
> > // strcpy(srcip,"0");
> > if (aft->debuglog_ctx->flags & ALERT_DEBUGLOG_XFF) {
> > // strcpy(srcip,"1");
> > HtpState *htp_state=NULL;
> > htp_tx_t *tx = NULL;
> > htp_header_t *h_xff = NULL;
> > size_t idx = 0;
> > if (p->flow && AppLayerGetProtoFromPacket(p) == ALPROTO_HTTP &&
> > AppLayerTransactionGetLoggedId(p->flow) >= 0 &&
> > HtpTransactionGetLoggableId(p->flow) >= 0) {
> > // strcpy(srcip,"2");
> > htp_state = (HtpState *) AppLayerGetProtoStateFromPacket(p);
> > size_t logged = (size_t)
> > AppLayerTransactionGetLoggedId(p->flow);
> > size_t loggable = (size_t)
> HtpTransactionGetLoggableId(p->flow);
> > if ( htp_state && htp_state->connp && htp_state->connp->conn
> &&
> > logged < loggable) {
> > // strcpy(srcip,"3");
> > for (idx = logged; idx < loggable; idx++) {
> > // strcpy(srcip,"4");
> > tx = list_get(htp_state->connp->conn->transactions,
> > idx);
> > if (tx != NULL && tx->request_headers != NULL) {
> > // strcpy(srcip,"5");
> > h_xff = table_getc(tx->request_headers,
> > aft->debuglog_ctx->xff_header);
> > if (h_xff != NULL) {
> > // strcpy(srcip,"6");
> > if (bstr_len(h_xff->value) >
> > ALERT_DEBUGLOG_XFF_MINLEN - 1 &&
> >
> > bstr_len(h_xff->value) < 44) {
> > strcpy(srcip,bstr_ptr(h_xff->value));
> > // strcpy(srcip,"7");
> > }
> > }
> > }
> > }
> > }
> > }
> > }
> >
> > The problem is that it never arrives to "step 3" because logged is
> always >=
> > loggable (even though the XFF header is present in the request which
> > triggered the alert). I suspect this happens because at the point the
> alert
> > is triggered, the http transaction is not yet finished (it works fine in
> > log-httplog).
> >
> > How should I modify the code to extract the XFF header, if available,
> even
> > when the transaction is not finished?
> >
>
> Debuglog depends on the presence of alerts and I see no way around it.
> Instead you can retrieve the available transactions from the
> htp_state, pick the one which has the xff header and you have the ip
> you need.
>
> int size = (int)list_size(htp_state->connp->conn->transactions);
> for (idx = 0; idx < size; idx++) {
>
> tx = list_get(htp_state->connp->conn->transactions, idx);
> if (tx == NULL)
> continue;
>
> if (tx has xff_header)
> break;
> tx = NULL;
> }
>
> if (tx != NULL) {
> /* this tx has the xff header set. use the ip */
> xff_ip = retrieve_xff_header_value_for_tx(tx);
> }
>
> > Thank you! Regards,
> >
> >
> > Ignacio Sanchez
> > _______________________________________________
> > Oisf-devel mailing list
> > Oisf-devel at openinfosecfoundation.org
> > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>
>
>
> --
> Anoop Saldanha
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20120719/ebfa17b6/attachment-0002.html>
More information about the Oisf-devel
mailing list