Re: Using DNS response fields in an alert msg

["lists () packetmail net" <lists () packetmail net>]

On 01/07/2015 08:53 AM, Rodgers, Anthony (DTMB) wrote:
> In similar vein, I'd love to do something with the "X-Forwarded-For" header field in HTTP traffic. For suspected 
> infections, it's the proxy client I'm interested in remediating, not the proxy server itself.

Ryan Moon and I (I didn't do much, if anything) wrote some code that does this
using the Unified format and then converts it to a traditional syslog feed.  I
had some conversations with Victor about this and it may be in the current
version of Suricata now, I'd need to check.  If not you're more than welcome to
the code if this would fit your use case?  We're using this code behind a
load-balancer where it hits the VIPs to pull out the true Internet IP.

Since it's parsing unified format I imagine it'll work with Snort as well, not
just Suricata.  It's written in Ruby; hit me up off-list if you'd like a copy at
this address of my first name @ packetmail.net

Cheers,
Nathan

------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!