[Snort-devel] First packet X-Forwarded-For information and sending to a Unix Socket (Snort

Shane Boissevain shaneboissevain at ...2499...
Thu Dec 18 11:31:25 EST 2014

    When Snort is configured to alert on the packet that contains
the X-Forwarded-For information, as with the following rule, the
X-Forwarded-For information is not available at the time of logging to the
Unix Socket.

*Testing Rule:*
    alert tcp any any -> any any (msg:"X-Forwarded-For Data Found";
content:"X-Forwarded-For"; classtype:misc-activity; sid:8000000; rev:1;)

    I modified the output-plugins/spo_alert_unixsock.c file to append the
X-Forwarded-For Extra Data (referred to as the true_ip in the Snort code)
to the socket, and modified what was reading from the socket to grab the
additional 4 bytes. I then sent a few packets through a proxy and tripped
the alerts, and found that while the Unified 2 file and Barnyard2 received
a copy of the extra-data, the socket I was interested in was not. I traced
this down to the function SnortHttpInspect within
    On line 3465, Detect(p) is called, BEFORE the HttpSessionData is
defined, and had a chance to extract the X-Forwarded-For information. The
alert is generated, and the socket written to; by now it is too late to
append additional information. By defining the HttpSessionData early, the
hi_mi_mode_inspection function can be called, which trails down into the
call for the extract_http_xff method in
preprocessors/HttpInspect/client/hi_client.c, which sets the true_ip for
the session. The following change has eliminated my problem:

File: /preprocessors/snort_httpinspect.c

>     hsd = GetHttpSessionData(p);
>         /*Ensure that HttpSessionData exists, so that the XFF data can be
>         if (hsd == NULL)
>             hsd = SetNewHttpSessionData(p, (void *)Session);
>         else
>         {
>             /* Gzip data should not be logged with all the packets of the
>             hsd->log_flags &= ~HTTP_LOG_GZIP_DATA;
>             hsd->log_flags &= ~HTTP_LOG_JSNORM_DATA;
>         }
>         hi_mi_mode_inspection(Session, iInspectMode, p, hsd);
<     hsd = GetHttpSessionData(p);

*Standing questions:*
    For my purposes, I required the http session data earlier for output to
the Unix Socket. This seems to be the most logical way to accomplish that,
but I wanted to check with the community to ensure that:
    1) There was not a simpler way to do this.
    2) A reason it was not done this way to begin with.

Thank you, if you've gotten this far. Also, I apologize if this is not the
correct media to present this, however I did want to publish this incase
anyone else hits a similar issue or desire (even though this is a old
version of snort).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20141218/aac56b2f/attachment.html>

More information about the Snort-devel mailing list