[Oisf-users] XFF and alternate HTTP IP header with a proxy

Eric Urban eurban at umn.edu
Fri Mar 30 14:21:02 UTC 2018


I tested this on my end and it seems to work as expected.  I am running
Suricata 4.0.4.
I enabled the xff options like you did (for eve.log) and tried both with
the extra-data, which in that case the IP was logged to a field with the
label "xff", and then with the overwrite.  In my case of using overwrite
the flow the alert triggered on was coming from the server side so the
destination IP is what is being overwritten.  That makes sense and is
described to be the way it should work in the config comments "# HTTP
X-Forwarded-For support by adding an extra field or overwriting the source
or destination IP address (depending on flow direction)".

I used cURL to request response with payload that triggers alert:
curl -i -H "Client-ip: 10.44.44.44" http://testserver.local:1236/

>From eve.log when using extra-data mode (bottom of alert entry):
...
  "packet_info": {
    "linktype": 1
  },
  "xff": "10.44.44.44"
}

>From eve.log when using overwrite (top of alert entry):
{
  "timestamp": "2018-03-30T09:04:04.923932-0500",
  "flow_id": 2235731331518724,
  "in_iface": "eth0",
  "event_type": "alert",
  "src_ip": "10.0.2.15",
  "src_port": 1236,
  "dest_ip": "10.44.44.44",
  "dest_port": 35629,
  "proto": "TCP",
...




-- 
Eric Urban
University Information Security | Office of Information Technology |
it.umn.edu
University of Minnesota | umn.edu
eurban at umn.edu

On Fri, Mar 30, 2018 at 8:59 AM, Duarte Silva <duarte.silva at serializing.me>
wrote:

> Hey,
>
>
>
> What o you mean with “should work well but it is not”? You have the XFF in overwrite
> mode, o it should change the source address of the http request in the
> logging and only in the logging. Is it this that isn't properly working?
>
>
>
> Cheers,
>
> Duarte
>
>
>
> *De: *Michael Riggs <msnriggs at gmail.com>
> *Enviado: *30 de março de 2018 15:37
> *Para: *oisf-users at lists.openinfosecfoundation.org
> *Assunto: *[Oisf-users] XFF and alternate HTTP IP header with a proxy
>
>
>
> Morning Suricata peeps,
>
>
>
> We're having an issue where we cant get our proxy to give us X-Forwarded
> for, but it'll give Client-ip. It looks like I can mod the Header:
> X-Forwarded-For field to Header: Client-ip and all should work well, but
> it's not. First - Am I making a bad assumption that this is supported?
> Second - help! :-)  See examples below -
>
>
>
> Mike
>
>
>
>
>
> *tcpdump of relevant part of HTTP packet*
>
> User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36
> (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36.
>
> Accept: image/webp,image/apng,image/*,*/*;q=0.8.
>
> DNT: 1.
>
> Referer: http://golfweek.com/.
>
> Accept-Encoding: gzip, deflate.
>
> Accept-Language: en-US,en;q=0.9.
>
> *Client-ip: 10.25.8.9.*
>
> Via: 1.1 localhost.localdomain .
>
> Host: dt.adsafeprotected.com.
>
>
>
> *We've modified the suricata.yaml as follows*
>
>             xff:
>
>               enabled: yes
>
>               # Two operation modes are available, "extra-data" and
> "overwrite".
>
>               mode: overwrite
>
>               # Two proxy deployments are supported, "reverse" and
> "forward". In
>
>               # a "reverse" deployment the IP address used is the last
> one, in a
>
>               # "forward" deployment the first IP address is used.
>
>               deployment: forward
>
>               # Header name where the actual IP address will be reported,
> if more
>
>               # than one IP address is present, the last IP address will
> be the
>
>               # one taken into consideration.
>
>               header: Client-ip
>
>
>
>
>
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180330/334f391d/attachment-0001.html>


More information about the Oisf-users mailing list