[Snort-users] Alerts with the incorrect Source IP (proxy server)

beenph beenph at ...11827...
Wed Oct 24 14:36:20 EDT 2012


On Wed, Oct 24, 2012 at 2:27 PM, Turnbough, Bradley E.
<bturnbough at ...15650...> wrote:
> Stupid question, but enable_xff doesn’t exist in my snort.conf.  Where does
> it go?
>
>
>
>
>
>
>
> From: Joel Esler [mailto:jesler at ...1935...]
> Sent: Wednesday, October 24, 2012 1:10 PM
> To: Jeremy Hoel
> Cc: Turnbough, Bradley E.; snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Alerts with the incorrect Source IP (proxy
> server)
>
>
>
> If you have additional logging turned on, and your proxy supports it, (and
> you have "enable_xff") turned on in the snort.conf we'll log the actual IP
> in the additional data in the unified2 file.
>

Just to clarify something, barnyard2 will process (read) but will not
log EXTRA_DATA events to the database.

-elz




More information about the Snort-users mailing list