[Snort-users] enable_xff with Snort

Balasubramaniam Natarajan bala150985 at ...11827...
Mon Sep 30 02:28:17 EDT 2013


On Sun, Sep 22, 2013 at 4:00 PM, Balasubramaniam Natarajan <
bala150985 at ...11827...> wrote:

> Hi
>
> I have been trying to configure snort's http_inspect for sometime now with
> out any success.
>
>
>
Okay finally got snort to log the Extra Data of True Client IP.  All I had
to do is include enable_xff in the line "preprocessor http_inspect_server:
server default enable_xff"  However it seems that snort after 2.9.0.5 has
change the way in which it logs the extra data that barnyard2.1.9 patch
does not work any more.

root at ...16548...:/tmp/log# rm *
root at ...16548...:/tmp/log# /usr/local/bin/snort -r /home/bala/xforward_out.pcap
-c /etc/test.conf -l /tmp/log/ -u snort -q
Rule Profile Statistics (worst 100 rules)
==========================================================
   Num      SID GID Rev     Checks   Matches    Alerts           Microsecs
Avg/Check  Avg/Match Avg/Nonmatch   Disabled
   ===      === === ===     ======   =======    ======           =========
=========  ========= ============   ========
     1  2013504   1   3          1         1         1
19       19.2       19.2          0.0          0
root at ...16548...:/tmp/log# ls -ltrh
total 4.0K
-rw------- 1 snort snort 414 Sep 28 12:40 snort.alert.log.1380352241
root at ...16548...:/tmp/log# u2spewfoo snort.alert.log.1380352241

(Event)
    sensor id: 0    event id: 1    event second: 1379869570    event
microsecond: 267132
    sig id: 2013504    gen id: 1    revision: 3     classification: 1
    priority: 3    ip source: 10.0.2.15    ip destination: 174.36.85.72
    src port: 34560    dest port: 80    protocol: 6    impact_flag: 0
blocked: 0

Packet
    sensor id: 0    event id: 1    event second: 1379869570
    packet second: 1379869570    packet microsecond: 267132
    linktype: 1    packet_length: 274
[    0] 52 54 00 12 35 02 08 00 27 EE 1B A6 08 00 45 00  RT..5...'.....E.
[   16] 01 04 34 1E 40 00 40 06 F6 5A 0A 00 02 0F AE 24  ..4. at ...843...@..Z.....$
[   32] 55 48 87 00 00 50 86 55 CF 55 67 E7 BE 02 50 18  UH...P.U.Ug...P.
[   48] 39 08 B7 38 00 00 47 45 54 20 2F 20 48 54 54 50  9..8..GET / HTTP
[   64] 2F 31 2E 31 0D 0A 55 73 65 72 2D 41 67 65 6E 74  /1.1..User-Agent
[   80] 3A 20 2E 44 65 62 69 61 6E 2E 41 50 54 2D 48 54  : .Debian.APT-HT
[   96] 54 50 2F 31 2E 33 2E 28 30 2E 39 2E 37 2E 37 75  TP/1.3.(0.9.7.7u
[  112] 62 75 6E 74 75 34 29 0D 0A 41 63 63 65 70 74 3A  buntu4)..Accept:
[  128] 20 2A 2F 2A 0D 0A 48 6F 73 74 3A 20 35 2E 74 65   */*..Host: 5.te
[  144] 73 74 2E 63 6F 6D 0D 0A 56 69 61 3A 20 31 2E 31  st.com..Via: 1.1
[  160] 20 6C 6F 63 61 6C 68 6F 73 74 20 28 73 71 75 69   localhost (squi
[  176] 64 2F 33 2E 31 2E 32 30 29 0D 0A 58 2D 46 6F 72  d/3.1.20)..X-For
[  192] 77 61 72 64 65 64 2D 46 6F 72 3A 20 31 39 32 2E  warded-For: 192.
[  208] 31 36 38 2E 31 2E 32 0D 0A 43 61 63 68 65 2D 43  168.1.2..Cache-C
[  224] 6F 6E 74 72 6F 6C 3A 20 6D 61 78 2D 61 67 65 3D  ontrol: max-age=
[  240] 32 35 39 32 30 30 0D 0A 43 6F 6E 6E 65 63 74 69  259200..Connecti
[  256] 6F 6E 3A 20 6B 65 65 70 2D 61 6C 69 76 65 0D 0A  on: keep-alive..
[  272] 0D 0A                                            ..

(ExtraDataHdr)
    event type: 4    event length: 36

(ExtraData)
    sensor id: 0    event id: 1    event second: 1379869570
    type: 1    datatype: 1    bloblength: 12    Original Client IP:
192.168.1.2
root at ...16548...:/tmp/log# grep http_inspect_server /etc/test.conf

preprocessor http_inspect_server: server default enable_xff

-- 
Regards,
Balasubramaniam Natarajan
www.blog.etutorshop.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130930/d2c89df9/attachment.html>


More information about the Snort-users mailing list