Snort mailing list archives
Re: Using DNS response fields in an alert msg
From: "lists () packetmail net" <lists () packetmail net>
Date: Wed, 7 Jan 2015 09:00:55 -0600
On 01/07/2015 08:53 AM, Rodgers, Anthony (DTMB) wrote:
In similar vein, I'd love to do something with the "X-Forwarded-For" header field in HTTP traffic. For suspected infections, it's the proxy client I'm interested in remediating, not the proxy server itself.
Ryan Moon and I (I didn't do much, if anything) wrote some code that does this using the Unified format and then converts it to a traditional syslog feed. I had some conversations with Victor about this and it may be in the current version of Suricata now, I'd need to check. If not you're more than welcome to the code if this would fit your use case? We're using this code behind a load-balancer where it hits the VIPs to pull out the true Internet IP. Since it's parsing unified format I imagine it'll work with Snort as well, not just Suricata. It's written in Ruby; hit me up off-list if you'd like a copy at this address of my first name @ packetmail.net Cheers, Nathan ------------------------------------------------------------------------------ Dive into the World of Parallel Programming! The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Using DNS response fields in an alert msg David Longenecker (Jan 07)
- Re: Using DNS response fields in an alert msg lists () packetmail net (Jan 07)
- Re: Using DNS response fields in an alert msg lists () packetmail net (Jan 07)
- Re: Using DNS response fields in an alert msg Rodgers, Anthony (DTMB) (Jan 07)
- Re: Using DNS response fields in an alert msg lists () packetmail net (Jan 07)
- Re: Using DNS response fields in an alert msg Joel Esler (jesler) (Jan 07)
- Re: Using DNS response fields in an alert msg Joel Esler (jesler) (Jan 07)
- Re: Using DNS response fields in an alert msg James Lay (Jan 07)
- Re: Using DNS response fields in an alert msg Mustafa Qasim (Jan 07)
- Re: Using DNS response fields in an alert msg Jason Haar (Jan 21)
- <Possible follow-ups>
- Re: Using DNS response fields in an alert msg David Longenecker (Jan 22)
- Re: Using DNS response fields in an alert msg Joel Esler (jesler) (Jan 22)
- Re: Using DNS response fields in an alert msg lists () packetmail net (Jan 07)