[Oisf-users] xff configuration

[Emm Dupp]

Hello oisf-users,I am using Suricata version 3.0dev (rev 44a444b) and have trouble using the XFF feature.I have enabled it on the EVE log in overwrite mode but I still see the src_ip being the internal IP address.I took a pcap trace and I see that the X-Forwarded-For field is there and well set.Here is what I receive from Suricata:{"timestamp":"2016-01-19T11:30:09.288203+0000","flow_id":30630416,"in_iface":"eth0","event_type":"http","src_ip":"172.11.0.19","src_port":48647,"dest_ip":"172.11.1.181","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"tmp.test.net","url":"\/test008\/status","http_user_agent":"curl\/7.38.0","xff":"X.X.X.X","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":862}}I would expect that the src_ip field contains the value of the xff field.I tried to set the deployment field from the "reverse" default value to "forward" but I don't see any difference.Can you please help me? Maybe I am missing something!Thank you.Emm 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160120/da840235/attachment.html>