Snort mailing list archives
Re: enable_xff with Snort
From: Balasubramaniam Natarajan <bala150985 () gmail com>
Date: Mon, 30 Sep 2013 11:58:17 +0530
On Sun, Sep 22, 2013 at 4:00 PM, Balasubramaniam Natarajan < bala150985 () gmail com> wrote:
Hi I have been trying to configure snort's http_inspect for sometime now with out any success.
Okay finally got snort to log the Extra Data of True Client IP. All I had to do is include enable_xff in the line "preprocessor http_inspect_server: server default enable_xff" However it seems that snort after 2.9.0.5 has change the way in which it logs the extra data that barnyard2.1.9 patch does not work any more. root@Snort:/tmp/log# rm * root@Snort:/tmp/log# /usr/local/bin/snort -r /home/bala/xforward_out.pcap -c /etc/test.conf -l /tmp/log/ -u snort -q Rule Profile Statistics (worst 100 rules) ========================================================== Num SID GID Rev Checks Matches Alerts Microsecs Avg/Check Avg/Match Avg/Nonmatch Disabled === === === === ====== ======= ====== ========= ========= ========= ============ ======== 1 2013504 1 3 1 1 1 19 19.2 19.2 0.0 0 root@Snort:/tmp/log# ls -ltrh total 4.0K -rw------- 1 snort snort 414 Sep 28 12:40 snort.alert.log.1380352241 root@Snort:/tmp/log# u2spewfoo snort.alert.log.1380352241 (Event) sensor id: 0 event id: 1 event second: 1379869570 event microsecond: 267132 sig id: 2013504 gen id: 1 revision: 3 classification: 1 priority: 3 ip source: 10.0.2.15 ip destination: 174.36.85.72 src port: 34560 dest port: 80 protocol: 6 impact_flag: 0 blocked: 0 Packet sensor id: 0 event id: 1 event second: 1379869570 packet second: 1379869570 packet microsecond: 267132 linktype: 1 packet_length: 274 [ 0] 52 54 00 12 35 02 08 00 27 EE 1B A6 08 00 45 00 RT..5...'.....E. [ 16] 01 04 34 1E 40 00 40 06 F6 5A 0A 00 02 0F AE 24 ..4.@.@..Z.....$ [ 32] 55 48 87 00 00 50 86 55 CF 55 67 E7 BE 02 50 18 UH...P.U.Ug...P. [ 48] 39 08 B7 38 00 00 47 45 54 20 2F 20 48 54 54 50 9..8..GET / HTTP [ 64] 2F 31 2E 31 0D 0A 55 73 65 72 2D 41 67 65 6E 74 /1.1..User-Agent [ 80] 3A 20 2E 44 65 62 69 61 6E 2E 41 50 54 2D 48 54 : .Debian.APT-HT [ 96] 54 50 2F 31 2E 33 2E 28 30 2E 39 2E 37 2E 37 75 TP/1.3.(0.9.7.7u [ 112] 62 75 6E 74 75 34 29 0D 0A 41 63 63 65 70 74 3A buntu4)..Accept: [ 128] 20 2A 2F 2A 0D 0A 48 6F 73 74 3A 20 35 2E 74 65 */*..Host: 5.te [ 144] 73 74 2E 63 6F 6D 0D 0A 56 69 61 3A 20 31 2E 31 st.com..Via: 1.1 [ 160] 20 6C 6F 63 61 6C 68 6F 73 74 20 28 73 71 75 69 localhost (squi [ 176] 64 2F 33 2E 31 2E 32 30 29 0D 0A 58 2D 46 6F 72 d/3.1.20)..X-For [ 192] 77 61 72 64 65 64 2D 46 6F 72 3A 20 31 39 32 2E warded-For: 192. [ 208] 31 36 38 2E 31 2E 32 0D 0A 43 61 63 68 65 2D 43 168.1.2..Cache-C [ 224] 6F 6E 74 72 6F 6C 3A 20 6D 61 78 2D 61 67 65 3D ontrol: max-age= [ 240] 32 35 39 32 30 30 0D 0A 43 6F 6E 6E 65 63 74 69 259200..Connecti [ 256] 6F 6E 3A 20 6B 65 65 70 2D 61 6C 69 76 65 0D 0A on: keep-alive.. [ 272] 0D 0A .. (ExtraDataHdr) event type: 4 event length: 36 (ExtraData) sensor id: 0 event id: 1 event second: 1379869570 type: 1 datatype: 1 bloblength: 12 Original Client IP: 192.168.1.2 root@Snort:/tmp/log# grep http_inspect_server /etc/test.conf preprocessor http_inspect_server: server default enable_xff -- Regards, Balasubramaniam Natarajan www.blog.etutorshop.com
------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- enable_xff with Snort Balasubramaniam Natarajan (Sep 22)
- Re: enable_xff with Snort Balasubramaniam Natarajan (Sep 22)
- Re: enable_xff with Snort Bhagya Bantwal (Sep 23)
- Re: enable_xff with Snort Balasubramaniam Natarajan (Sep 23)
- Re: enable_xff with Snort Balasubramaniam Natarajan (Sep 29)