[Oisf-users] XFF and alternate HTTP IP header with a proxy

[Michael Riggs]

Morning Suricata peeps,

We're having an issue where we cant get our proxy to give us X-Forwarded
for, but it'll give Client-ip. It looks like I can mod the Header:
X-Forwarded-For field to Header: Client-ip and all should work well, but
it's not. First - Am I making a bad assumption that this is supported?
Second - help! :-)  See examples below -

Mike


*tcpdump of relevant part of HTTP packet*
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36.
Accept: image/webp,image/apng,image/*,*/*;q=0.8.
DNT: 1.
Referer: http://golfweek.com/.
Accept-Encoding: gzip, deflate.
Accept-Language: en-US,en;q=0.9.
*Client-ip: 10.25.8.9.*
Via: 1.1 localhost.localdomain .
Host: dt.adsafeprotected.com.

*We've modified the suricata.yaml as follows*
            xff:
              enabled: yes
              # Two operation modes are available, "extra-data" and
"overwrite".
              mode: overwrite
              # Two proxy deployments are supported, "reverse" and
"forward". In
              # a "reverse" deployment the IP address used is the last one,
in a
              # "forward" deployment the first IP address is used.
              deployment: forward
              # Header name where the actual IP address will be reported,
if more
              # than one IP address is present, the last IP address will be
the
              # one taken into consideration.
              header: Client-ip
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180330/f50bd27f/attachment.html>