uint16_t flags;
uint32_t payload_buffer_size;
HttpXFFCfg *xff_cfg;
+ HttpXFFCfg *parent_xff_cfg;
bool include_metadata;
} AlertJsonOutputCtx;
json_object_set_new(hjs, "rule", json_string(pa->s->sig_str));
}
- HttpXFFCfg *xff_cfg = json_output_ctx->xff_cfg;
+ HttpXFFCfg *xff_cfg = json_output_ctx->xff_cfg != NULL ?
+ json_output_ctx->xff_cfg : json_output_ctx->parent_xff_cfg;;
/* xff header */
if ((xff_cfg != NULL) && !(xff_cfg->flags & XFF_DISABLED) && p->flow != NULL) {
json_output_ctx->flags |= flags;
}
-static void JsonAlertLogSetupXff(AlertJsonOutputCtx *json_output_ctx,
- ConfNode *conf)
+static HttpXFFCfg *JsonAlertLogGetXffCfg(ConfNode *conf)
{
HttpXFFCfg *xff_cfg = NULL;
-
- xff_cfg = SCMalloc(sizeof(HttpXFFCfg));
- if (unlikely(xff_cfg == NULL)) {
- return;
- }
- memset(xff_cfg, 0, sizeof(HttpXFFCfg));
- json_output_ctx->xff_cfg = xff_cfg;
-
- if (conf != NULL) {
- HttpXFFGetCfg(conf, xff_cfg);
+ if (conf != NULL && ConfNodeLookupChild(conf, "xff") != NULL) {
+ xff_cfg = SCCalloc(1, sizeof(HttpXFFCfg));
+ if (likely(xff_cfg != NULL)) {
+ HttpXFFGetCfg(conf, xff_cfg);
+ }
}
+ return xff_cfg;
}
/**
json_output_ctx->file_ctx = logfile_ctx;
JsonAlertLogSetupMetadata(json_output_ctx, conf);
- JsonAlertLogSetupXff(json_output_ctx, conf);
+ json_output_ctx->xff_cfg = JsonAlertLogGetXffCfg(conf);
output_ctx->data = json_output_ctx;
output_ctx->DeInit = JsonAlertLogDeInitCtx;
json_output_ctx->include_metadata = ajt->include_metadata;
JsonAlertLogSetupMetadata(json_output_ctx, conf);
- JsonAlertLogSetupXff(json_output_ctx, conf);
+ json_output_ctx->xff_cfg = JsonAlertLogGetXffCfg(conf);
+ if (json_output_ctx->xff_cfg == NULL) {
+ json_output_ctx->parent_xff_cfg = ajt->xff_cfg;
+ }
output_ctx->data = json_output_ctx;
output_ctx->DeInit = JsonAlertLogDeInitCtxSub;
# Enable the logging of tagged packets for rules using the
# "tag" keyword.
tagged-packets: yes
-
- # HTTP X-Forwarded-For support by adding an extra field or overwriting
- # the source or destination IP address (depending on flow direction)
- # with the one reported in the X-Forwarded-For HTTP header. This is
- # helpful when reviewing alerts for traffic that is being reverse
- # or forward proxied.
- xff:
- enabled: no
- # Two operation modes are available, "extra-data" and "overwrite".
- mode: extra-data
- # Two proxy deployments are supported, "reverse" and "forward". In
- # a "reverse" deployment the IP address used is the last one, in a
- # "forward" deployment the first IP address is used.
- deployment: reverse
- # Header name where the actual IP address will be reported, if more
- # than one IP address is present, the last IP address will be the
- # one taken into consideration.
- header: X-Forwarded-For
- http:
extended: yes # enable this for extended logging information
# custom allows additional http fields to be included in eve-log
projects / thirdparty / suricata.git / commitdiff
