json_ctx->include_metadata = true;
}
+ /* Do we have a global eve xff configuration? */
+ const ConfNode *xff = ConfNodeLookupChild(conf, "xff");
+ if (xff != NULL) {
+ json_ctx->xff_cfg = SCCalloc(1, sizeof(HttpXFFCfg));
+ if (likely(json_ctx->xff_cfg != NULL)) {
+ HttpXFFGetCfg(conf, json_ctx->xff_cfg);
+ }
+ }
+
const char *pcapfile_s = ConfNodeLookupChildValue(conf, "pcap-file");
if (pcapfile_s != NULL && ConfValIsTrue(pcapfile_s)) {
json_ctx->file_ctx->is_pcap_offline =
"%"PRIu64" events were dropped due to slow or "
"disconnected socket", logfile_ctx->dropped);
}
+ if (json_ctx->xff_cfg != NULL) {
+ SCFree(json_ctx->xff_cfg);
+ }
LogFileFreeCtx(logfile_ctx);
SCFree(json_ctx);
SCFree(output_ctx);
#include "util-logopenfile.h"
#include "output.h"
+#include "app-layer-htp-xff.h"
+
void OutputJsonRegister(void);
#ifdef HAVE_LIBJANSSON
LogFileCtx *file_ctx;
enum LogFileType json_out;
bool include_metadata;
+ HttpXFFCfg *xff_cfg;
} OutputJsonCtx;
json_t *SCJsonBool(int val);
pcap-file: false
+ # HTTP X-Forwarded-For support by adding an extra field or overwriting
+ # the source or destination IP address (depending on flow direction)
+ # with the one reported in the X-Forwarded-For HTTP header. This is
+ # helpful when reviewing alerts for traffic that is being reverse
+ # or forward proxied.
+ xff:
+ enabled: no
+ # Two operation modes are available, "extra-data" and "overwrite".
+ mode: extra-data
+ # Two proxy deployments are supported, "reverse" and "forward". In
+ # a "reverse" deployment the IP address used is the last one, in a
+ # "forward" deployment the first IP address is used.
+ deployment: reverse
+ # Header name where the actual IP address will be reported, if more
+ # than one IP address is present, the last IP address will be the
+ # one taken into consideration.
+ header: X-Forwarded-For
+
types:
- alert:
# payload: yes # enable dumping payload in Base64
projects / thirdparty / suricata.git / commitdiff
