[Snort-devel] First packet X-Forwarded-For information and sending to a Unix Socket (Snort

Russ Combs (rucombs) rucombs at ...3461...
Thu Dec 18 12:20:15 EST 2014

Thanks for sharing your solution.  XFF and other extra data is supported only for unified2 output at present.  Not sure where your patch might apply in the current version but we don't want to do the HTTP inspection twice.  I've opened an internal bug to investigate further.

From: Shane Boissevain [shaneboissevain at ...2499...]
Sent: Thursday, December 18, 2014 11:31 AM
To: snort-devel at lists.sourceforge.net
Subject: [Snort-devel] First packet X-Forwarded-For information and sending to a Unix Socket (Snort

    When Snort is configured to alert on the packet that contains the X-Forwarded-For information, as with the following rule, the X-Forwarded-For information is not available at the time of logging to the Unix Socket.

Testing Rule:
    alert tcp any any -> any any (msg:"X-Forwarded-For Data Found"; content:"X-Forwarded-For"; classtype:misc-activity; sid:8000000; rev:1;)

    I modified the output-plugins/spo_alert_unixsock.c file to append the X-Forwarded-For Extra Data (referred to as the true_ip in the Snort code) to the socket, and modified what was reading from the socket to grab the additional 4 bytes. I then sent a few packets through a proxy and tripped the alerts, and found that while the Unified 2 file and Barnyard2 received a copy of the extra-data, the socket I was interested in was not. I traced this down to the function SnortHttpInspect within preprocessors/snort_httpinspect.c.
    On line 3465, Detect(p) is called, BEFORE the HttpSessionData is defined, and had a chance to extract the X-Forwarded-For information. The alert is generated, and the socket written to; by now it is too late to append additional information. By defining the HttpSessionData early, the hi_mi_mode_inspection function can be called, which trails down into the call for the extract_http_xff method in preprocessors/HttpInspect/client/hi_client.c, which sets the true_ip for the session. The following change has eliminated my problem:

File: /preprocessors/snort_httpinspect.c

>     hsd = GetHttpSessionData(p);
>         /*Ensure that HttpSessionData exists, so that the XFF data can be set.*/
>         if (hsd == NULL)
>             hsd = SetNewHttpSessionData(p, (void *)Session);
>         else
>         {
>             /* Gzip data should not be logged with all the packets of the session.*/
>             hsd->log_flags &= ~HTTP_LOG_GZIP_DATA;
>             hsd->log_flags &= ~HTTP_LOG_JSNORM_DATA;
>         }
>         hi_mi_mode_inspection(Session, iInspectMode, p, hsd);
<     hsd = GetHttpSessionData(p);

Standing questions:
    For my purposes, I required the http session data earlier for output to the Unix Socket. This seems to be the most logical way to accomplish that, but I wanted to check with the community to ensure that:
    1) There was not a simpler way to do this.
    2) A reason it was not done this way to begin with.

Thank you, if you've gotten this far. Also, I apologize if this is not the correct media to present this, however I did want to publish this incase anyone else hits a similar issue or desire (even though this is a old version of snort).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20141218/83151607/attachment.html>

More information about the Snort-devel mailing list