[Oisf-users] How to show what ip address do the request inside an alert

Peter Manev petermanev at gmail.com
Tue Aug 27 07:03:01 UTC 2013


On Mon, Aug 26, 2013 at 9:24 PM, Cooper F. Nelson <cnelson at ucsd.edu> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Http.log will just log the contents of the X-Forwaded-For header.
>
> What I'm looking for is something like the Apache mod_rpaf feature:
>
>> http://kasunh.wordpress.com/2011/10/11/preserving-remote-iphost-while-proxying/
>
> So yes, as you mentioned something like a libhtp directive that would
> pass the contents of the X-Forwarded-For header as the source IP to the
> logging module.
>
> There is something similar in development already:
>
>> https://redmine.openinfosecfoundation.org/issues/478

ahh yes, I almost forgot about this feature. It is almost ready btw
(90%) - I will try to ping Ignacio and  see what is needed to finish
it.

>
> I think the issue is if I remember correctly from this discussion re:
> snort, is that they don't want to change behavior of the 'fast' output
> in any major way.  So, for example, the source IP logged is always the
> source IP of the logged packet, never anything else.
>
> Thinking about it this is probably the right thing to do.

I think it is the right thing to do, unless of course there are better
ways/ideas.... ?

>
> - -Coop
>
> On 8/26/2013 10:56 AM, Peter Manev wrote:
>>
>> P.S.  Would be nice if libhtp had the feature to "follow
>> X-Forwared-For" to allow logging of origin IPs.
>>
>>> http.log has that custom logging feature(X-Forwarded...). Is this
>>> what you have in mind or you mean more like an "alert" log
>>> feature?
>>
>
> - --
> Cooper Nelson
> Network Security Analyst
> UCSD ACT Security Team
> cnelson at ucsd.edu x41042
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (MingW32)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQEcBAEBAgAGBQJSG510AAoJEKIFRYQsa8FWaVwH/1z8s9Uj/rkL4Sk/QGvkzY7H
> FH2GA2Bq2U5gbez+H5F9ZJ/4PSeSs1753ZbbA8YT/lp7bHy/TDgByhJ77hdCyB5D
> xUzUQobC65V/h9y7egXqVijNiKIW2a+fO3uhgYdNDGj3qXXNHyPRamIuakIflhC5
> m0jo80PLiaFcHvFAHt7alzaPbig1vsEjpnziDtyYyndsJiSD8AuSknH7wA8QWknG
> uyofVZnAf3FKpUmkOBc9bXEm5yTrvuupC0WZiaypn45ar5cDf5ppWZOEx+t3TTQV
> SkWh34tub3qFjKk7Kk08QIgEdKUa81exD3HIk7+JuO5B6uYJcvT1sf32Tes9YAk=
> =/T32
> -----END PGP SIGNATURE-----



-- 
Regards,
Peter Manev



More information about the Oisf-users mailing list