[Oisf-users] xff configuration

Peter Manev petermanev at gmail.com
Wed Jan 20 09:44:25 UTC 2016


On Wed, Jan 20, 2016 at 10:28 AM, Emm Dupp <dupont871 at outlook.com> wrote:
> Hello oisf-users,
>
> I am using Suricata version 3.0dev (rev 44a444b) and have trouble using the
> XFF feature.
> I have enabled it on the EVE log in overwrite mode but I still see the
> src_ip being the internal IP address.
>
> I took a pcap trace and I see that the X-Forwarded-For field is there and
> well set.
> Here is what I receive from Suricata:
>
> {"timestamp":"2016-01-19T11:30:09.288203+0000","flow_id":30630416,"in_iface":"eth0","event_type":"http","src_ip":"172.11.0.19","src_port":48647,"dest_ip":"172.11.1.181","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"tmp.test.net","url":"\/test008\/status","http_user_agent":"curl\/7.38.0","xff":"X.X.X.X","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":862}}
>
> I would expect that the src_ip field contains the value of the xff field.
> I tried to set the deployment field from the "reverse" default value to
> "forward" but I don't see any difference.
> Can you please help me? Maybe I am missing something!
>
> Thank you.
>

Can you share that pcap? (privately if you wold like as well)

Thanks


> Emm
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC:
> http://oisfevents.net



-- 
Regards,
Peter Manev



More information about the Oisf-users mailing list