[Oisf-users] XFF and alternate HTTP IP header with a proxy
Michael Riggs
msnriggs at gmail.com
Fri Mar 30 13:37:48 UTC 2018
Morning Suricata peeps,
We're having an issue where we cant get our proxy to give us X-Forwarded
for, but it'll give Client-ip. It looks like I can mod the Header:
X-Forwarded-For field to Header: Client-ip and all should work well, but
it's not. First - Am I making a bad assumption that this is supported?
Second - help! :-) See examples below -
Mike
*tcpdump of relevant part of HTTP packet*
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36.
Accept: image/webp,image/apng,image/*,*/*;q=0.8.
DNT: 1.
Referer: http://golfweek.com/.
Accept-Encoding: gzip, deflate.
Accept-Language: en-US,en;q=0.9.
*Client-ip: 10.25.8.9.*
Via: 1.1 localhost.localdomain .
Host: dt.adsafeprotected.com.
*We've modified the suricata.yaml as follows*
xff:
enabled: yes
# Two operation modes are available, "extra-data" and
"overwrite".
mode: overwrite
# Two proxy deployments are supported, "reverse" and
"forward". In
# a "reverse" deployment the IP address used is the last one,
in a
# "forward" deployment the first IP address is used.
deployment: forward
# Header name where the actual IP address will be reported,
if more
# than one IP address is present, the last IP address will be
the
# one taken into consideration.
header: Client-ip
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180330/f50bd27f/attachment.html>
More information about the Oisf-users
mailing list