[Oisf-users] How to show what ip address do the request inside an alert

C. L. Martinez carlopmart at gmail.com
Tue Aug 27 09:20:53 UTC 2013

On Tue, Aug 27, 2013 at 7:03 AM, Peter Manev <petermanev at gmail.com> wrote:
> On Mon, Aug 26, 2013 at 9:24 PM, Cooper F. Nelson <cnelson at ucsd.edu> wrote:
>> Hash: SHA1
>> Http.log will just log the contents of the X-Forwaded-For header.
>> What I'm looking for is something like the Apache mod_rpaf feature:
>>> http://kasunh.wordpress.com/2011/10/11/preserving-remote-iphost-while-proxying/
>> So yes, as you mentioned something like a libhtp directive that would
>> pass the contents of the X-Forwarded-For header as the source IP to the
>> logging module.
>> There is something similar in development already:
>>> https://redmine.openinfosecfoundation.org/issues/478
> ahh yes, I almost forgot about this feature. It is almost ready btw
> (90%) - I will try to ping Ignacio and  see what is needed to finish
> it.
>> I think the issue is if I remember correctly from this discussion re:
>> snort, is that they don't want to change behavior of the 'fast' output
>> in any major way.  So, for example, the source IP logged is always the
>> source IP of the logged packet, never anything else.
>> Thinking about it this is probably the right thing to do.
> I think it is the right thing to do, unless of course there are better
> ways/ideas.... ?

> Peter Manev

Maybe is the better approach ...

More information about the Oisf-users mailing list