[Oisf-users] How to show what ip address do the request inside an alert
Cooper F. Nelson
cnelson at ucsd.edu
Mon Aug 26 18:24:53 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Http.log will just log the contents of the X-Forwaded-For header.
What I'm looking for is something like the Apache mod_rpaf feature:
> http://kasunh.wordpress.com/2011/10/11/preserving-remote-iphost-while-proxying/
So yes, as you mentioned something like a libhtp directive that would
pass the contents of the X-Forwarded-For header as the source IP to the
logging module.
There is something similar in development already:
> https://redmine.openinfosecfoundation.org/issues/478
I think the issue is if I remember correctly from this discussion re:
snort, is that they don't want to change behavior of the 'fast' output
in any major way. So, for example, the source IP logged is always the
source IP of the logged packet, never anything else.
Thinking about it this is probably the right thing to do.
- -Coop
On 8/26/2013 10:56 AM, Peter Manev wrote:
>
> P.S. Would be nice if libhtp had the feature to "follow
> X-Forwared-For" to allow logging of origin IPs.
>
>> http.log has that custom logging feature(X-Forwarded...). Is this
>> what you have in mind or you mean more like an "alert" log
>> feature?
>
- --
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQEcBAEBAgAGBQJSG510AAoJEKIFRYQsa8FWaVwH/1z8s9Uj/rkL4Sk/QGvkzY7H
FH2GA2Bq2U5gbez+H5F9ZJ/4PSeSs1753ZbbA8YT/lp7bHy/TDgByhJ77hdCyB5D
xUzUQobC65V/h9y7egXqVijNiKIW2a+fO3uhgYdNDGj3qXXNHyPRamIuakIflhC5
m0jo80PLiaFcHvFAHt7alzaPbig1vsEjpnziDtyYyndsJiSD8AuSknH7wA8QWknG
uyofVZnAf3FKpUmkOBc9bXEm5yTrvuupC0WZiaypn45ar5cDf5ppWZOEx+t3TTQV
SkWh34tub3qFjKk7Kk08QIgEdKUa81exD3HIk7+JuO5B6uYJcvT1sf32Tes9YAk=
=/T32
-----END PGP SIGNATURE-----
More information about the Oisf-users
mailing list