Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: enable_xff with Snort

From: Balasubramaniam Natarajan <bala150985 () gmail com>
Date: Mon, 30 Sep 2013 11:58:17 +0530
On Sun, Sep 22, 2013 at 4:00 PM, Balasubramaniam Natarajan <
bala150985 () gmail com> wrote:


Hi

I have been trying to configure snort's http_inspect for sometime now with
out any success.




Okay finally got snort to log the Extra Data of True Client IP.  All I had
to do is include enable_xff in the line "preprocessor http_inspect_server:
server default enable_xff"  However it seems that snort after 2.9.0.5 has
change the way in which it logs the extra data that barnyard2.1.9 patch
does not work any more.

root@Snort:/tmp/log# rm *
root@Snort:/tmp/log# /usr/local/bin/snort -r /home/bala/xforward_out.pcap
-c /etc/test.conf -l /tmp/log/ -u snort -q
Rule Profile Statistics (worst 100 rules)
==========================================================
   Num      SID GID Rev     Checks   Matches    Alerts           Microsecs
Avg/Check  Avg/Match Avg/Nonmatch   Disabled
   ===      === === ===     ======   =======    ======           =========
=========  ========= ============   ========
     1  2013504   1   3          1         1         1
19       19.2       19.2          0.0          0
root@Snort:/tmp/log# ls -ltrh
total 4.0K
-rw------- 1 snort snort 414 Sep 28 12:40 snort.alert.log.1380352241
root@Snort:/tmp/log# u2spewfoo snort.alert.log.1380352241

(Event)
    sensor id: 0    event id: 1    event second: 1379869570    event
microsecond: 267132
    sig id: 2013504    gen id: 1    revision: 3     classification: 1
    priority: 3    ip source: 10.0.2.15    ip destination: 174.36.85.72
    src port: 34560    dest port: 80    protocol: 6    impact_flag: 0
blocked: 0

Packet
    sensor id: 0    event id: 1    event second: 1379869570
    packet second: 1379869570    packet microsecond: 267132
    linktype: 1    packet_length: 274
[    0] 52 54 00 12 35 02 08 00 27 EE 1B A6 08 00 45 00  RT..5...'.....E.
[   16] 01 04 34 1E 40 00 40 06 F6 5A 0A 00 02 0F AE 24  ..4.@.@..Z.....$
[   32] 55 48 87 00 00 50 86 55 CF 55 67 E7 BE 02 50 18  UH...P.U.Ug...P.
[   48] 39 08 B7 38 00 00 47 45 54 20 2F 20 48 54 54 50  9..8..GET / HTTP
[   64] 2F 31 2E 31 0D 0A 55 73 65 72 2D 41 67 65 6E 74  /1.1..User-Agent
[   80] 3A 20 2E 44 65 62 69 61 6E 2E 41 50 54 2D 48 54  : .Debian.APT-HT
[   96] 54 50 2F 31 2E 33 2E 28 30 2E 39 2E 37 2E 37 75  TP/1.3.(0.9.7.7u
[  112] 62 75 6E 74 75 34 29 0D 0A 41 63 63 65 70 74 3A  buntu4)..Accept:
[  128] 20 2A 2F 2A 0D 0A 48 6F 73 74 3A 20 35 2E 74 65   */*..Host: 5.te
[  144] 73 74 2E 63 6F 6D 0D 0A 56 69 61 3A 20 31 2E 31  st.com..Via: 1.1
[  160] 20 6C 6F 63 61 6C 68 6F 73 74 20 28 73 71 75 69   localhost (squi
[  176] 64 2F 33 2E 31 2E 32 30 29 0D 0A 58 2D 46 6F 72  d/3.1.20)..X-For
[  192] 77 61 72 64 65 64 2D 46 6F 72 3A 20 31 39 32 2E  warded-For: 192.
[  208] 31 36 38 2E 31 2E 32 0D 0A 43 61 63 68 65 2D 43  168.1.2..Cache-C
[  224] 6F 6E 74 72 6F 6C 3A 20 6D 61 78 2D 61 67 65 3D  ontrol: max-age=
[  240] 32 35 39 32 30 30 0D 0A 43 6F 6E 6E 65 63 74 69  259200..Connecti
[  256] 6F 6E 3A 20 6B 65 65 70 2D 61 6C 69 76 65 0D 0A  on: keep-alive..
[  272] 0D 0A                                            ..

(ExtraDataHdr)
    event type: 4    event length: 36

(ExtraData)
    sensor id: 0    event id: 1    event second: 1379869570
    type: 1    datatype: 1    bloblength: 12    Original Client IP:
192.168.1.2
root@Snort:/tmp/log# grep http_inspect_server /etc/test.conf

preprocessor http_inspect_server: server default enable_xff

-- 
Regards,
Balasubramaniam Natarajan
www.blog.etutorshop.com

------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: