[Oisf-users] XFF and alternate HTTP IP header with a proxy

Duarte Silva duarte.silva at serializing.me
Fri Mar 30 13:59:49 UTC 2018


Hey,

What o you mean with “should work well but it is not”? You have the XFF in overwrite mode, o it should change the source address of the http request in the logging and only in the logging. Is it this that isn't properly working?

Cheers,
Duarte

De: Michael Riggs
Enviado: 30 de março de 2018 15:37
Para: oisf-users at lists.openinfosecfoundation.org
Assunto: [Oisf-users] XFF and alternate HTTP IP header with a proxy

Morning Suricata peeps,

We're having an issue where we cant get our proxy to give us X-Forwarded for, but it'll give Client-ip. It looks like I can mod the Header: X-Forwarded-For field to Header: Client-ip and all should work well, but it's not. First - Am I making a bad assumption that this is supported? Second - help! :-)  See examples below -  

Mike


tcpdump of relevant part of HTTP packet
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36.
Accept: image/webp,image/apng,image/*,*/*;q=0.8.
DNT: 1.
Referer: http://golfweek.com/.
Accept-Encoding: gzip, deflate.
Accept-Language: en-US,en;q=0.9.
Client-ip: 10.25.8.9.
Via: 1.1 localhost.localdomain .
Host: dt.adsafeprotected.com.

We've modified the suricata.yaml as follows
            xff:
              enabled: yes
              # Two operation modes are available, "extra-data" and "overwrite".
              mode: overwrite
              # Two proxy deployments are supported, "reverse" and "forward". In
              # a "reverse" deployment the IP address used is the last one, in a
              # "forward" deployment the first IP address is used.
              deployment: forward
              # Header name where the actual IP address will be reported, if more
              # than one IP address is present, the last IP address will be the
              # one taken into consideration.
              header: Client-ip



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180330/9445efda/attachment.html>


More information about the Oisf-users mailing list