eve/files: use eve-level xff config by default

The files section can still have an xff configuration which
will take priority over the eve level xff config.

diff --git a/src/output-json-file.c b/src/output-json-file.c
index c7a62b3417a206b090ffc1f34a9672fc18850020..56d3f565897e03056cc88085d7c8aeb398d7381e 100644 (file)
--- a/src/output-json-file.c
+++ b/src/output-json-file.c
@@ -75,6 +75,7 @@ typedef struct OutputFileCtx_ {
     LogFileCtx *file_ctx;
     uint32_t file_cnt;
     HttpXFFCfg *xff_cfg;
+    HttpXFFCfg *parent_xff_cfg;
 } OutputFileCtx;
 
 typedef struct JsonFileLogThread_ {
@@ -243,7 +244,8 @@ json_t *JsonBuildFileInfoRecord(const Packet *p, const File *ff,
 static void FileWriteJsonRecord(JsonFileLogThread *aft, const Packet *p,
                                 const File *ff, uint32_t dir)
 {
-    HttpXFFCfg *xff_cfg = aft->filelog_ctx->xff_cfg;
+    HttpXFFCfg *xff_cfg = aft->filelog_ctx->xff_cfg != NULL ?
+        aft->filelog_ctx->xff_cfg : aft->filelog_ctx->parent_xff_cfg;;
     json_t *js = JsonBuildFileInfoRecord(p, ff,
             ff->flags & FILE_STORED ? true : false, dir, xff_cfg);
     if (unlikely(js == NULL)) {
@@ -332,7 +334,7 @@ static OutputInitResult OutputFileLogInitSub(ConfNode *conf, OutputCtx *parent_c
     OutputInitResult result = { NULL, false };
     OutputJsonCtx *ojc = parent_ctx->data;
 
-    OutputFileCtx *output_file_ctx = SCMalloc(sizeof(OutputFileCtx));
+    OutputFileCtx *output_file_ctx = SCCalloc(1, sizeof(OutputFileCtx));
     if (unlikely(output_file_ctx == NULL))
         return result;
 
@@ -359,9 +361,14 @@ static OutputInitResult OutputFileLogInitSub(ConfNode *conf, OutputCtx *parent_c
 
         FileForceHashParseCfg(conf);
     }
-    output_file_ctx->xff_cfg = SCCalloc(1, sizeof(HttpXFFCfg));
-    if (output_file_ctx->xff_cfg != NULL) {
-        HttpXFFGetCfg(conf, output_file_ctx->xff_cfg);
+
+    if (conf != NULL && ConfNodeLookupChild(conf, "xff") != NULL) {
+        output_file_ctx->xff_cfg = SCCalloc(1, sizeof(HttpXFFCfg));
+        if (output_file_ctx->xff_cfg != NULL) {
+            HttpXFFGetCfg(conf, output_file_ctx->xff_cfg);
+        }
+    } else if (ojc->xff_cfg) {
+        output_file_ctx->parent_xff_cfg = ojc->xff_cfg;
     }
 
     output_ctx->data = output_file_ctx;

diff --git a/suricata.yaml.in b/suricata.yaml.in
index d43a1c4b963411c5495fccfd05f7c3670a0dd6f1..37d23931e6c1743df397dddb40a21f073a331712 100644 (file)
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@@ -269,23 +269,6 @@ outputs:
             # force logging of checksums, available hash functions are md5,
             # sha1 and sha256
             #force-hash: [md5]
-            # HTTP X-Forwarded-For support by adding an extra field or overwriting
-            # the source or destination IP address (depending on flow direction)
-            # with the one reported in the X-Forwarded-For HTTP header. This is
-            # helpful when reviewing alerts for traffic that is being reverse
-            # or forward proxied.
-            xff:
-              enabled: no
-              # Two operation modes are available, "extra-data" and "overwrite".
-              mode: extra-data
-              # Two proxy deployments are supported, "reverse" and "forward". In
-              # a "reverse" deployment the IP address used is the last one, in a
-              # "forward" deployment the first IP address is used.
-              deployment: reverse
-              # Header name where the actual IP address will be reported, if more
-              # than one IP address is present, the last IP address will be the
-              # one taken into consideration.
-              header: X-Forwarded-For
         #- drop:
         #    alerts: yes      # log alerts that caused drops
         #    flows: all       # start or all: 'start' logs only a single drop