[Oisf-users] How to show what ip address do the request inside an alert
Duarte Silva
duarte.silva at serializing.me
Tue Aug 27 07:42:11 UTC 2013
Hi Peter,
Ignacio passed the balll on that one for me. In the Suricata GitHub you
have a pull request for the newest version with the comments addressed.
Best regards,
Duarte
On 27 Aug 2013 08:03, "Peter Manev" <petermanev at gmail.com> wrote:
> On Mon, Aug 26, 2013 at 9:24 PM, Cooper F. Nelson <cnelson at ucsd.edu>
> wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Http.log will just log the contents of the X-Forwaded-For header.
> >
> > What I'm looking for is something like the Apache mod_rpaf feature:
> >
> >>
> http://kasunh.wordpress.com/2011/10/11/preserving-remote-iphost-while-proxying/
> >
> > So yes, as you mentioned something like a libhtp directive that would
> > pass the contents of the X-Forwarded-For header as the source IP to the
> > logging module.
> >
> > There is something similar in development already:
> >
> >> https://redmine.openinfosecfoundation.org/issues/478
>
> ahh yes, I almost forgot about this feature. It is almost ready btw
> (90%) - I will try to ping Ignacio and see what is needed to finish
> it.
>
> >
> > I think the issue is if I remember correctly from this discussion re:
> > snort, is that they don't want to change behavior of the 'fast' output
> > in any major way. So, for example, the source IP logged is always the
> > source IP of the logged packet, never anything else.
> >
> > Thinking about it this is probably the right thing to do.
>
> I think it is the right thing to do, unless of course there are better
> ways/ideas.... ?
>
> >
> > - -Coop
> >
> > On 8/26/2013 10:56 AM, Peter Manev wrote:
> >>
> >> P.S. Would be nice if libhtp had the feature to "follow
> >> X-Forwared-For" to allow logging of origin IPs.
> >>
> >>> http.log has that custom logging feature(X-Forwarded...). Is this
> >>> what you have in mind or you mean more like an "alert" log
> >>> feature?
> >>
> >
> > - --
> > Cooper Nelson
> > Network Security Analyst
> > UCSD ACT Security Team
> > cnelson at ucsd.edu x41042
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v2.0.17 (MingW32)
> > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> >
> > iQEcBAEBAgAGBQJSG510AAoJEKIFRYQsa8FWaVwH/1z8s9Uj/rkL4Sk/QGvkzY7H
> > FH2GA2Bq2U5gbez+H5F9ZJ/4PSeSs1753ZbbA8YT/lp7bHy/TDgByhJ77hdCyB5D
> > xUzUQobC65V/h9y7egXqVijNiKIW2a+fO3uhgYdNDGj3qXXNHyPRamIuakIflhC5
> > m0jo80PLiaFcHvFAHt7alzaPbig1vsEjpnziDtyYyndsJiSD8AuSknH7wA8QWknG
> > uyofVZnAf3FKpUmkOBc9bXEm5yTrvuupC0WZiaypn45ar5cDf5ppWZOEx+t3TTQV
> > SkWh34tub3qFjKk7Kk08QIgEdKUa81exD3HIk7+JuO5B6uYJcvT1sf32Tes9YAk=
> > =/T32
> > -----END PGP SIGNATURE-----
>
>
>
> --
> Regards,
> Peter Manev
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130827/106e0eea/attachment-0002.html>
More information about the Oisf-users
mailing list