From: Jason Ish Date: Thu, 3 May 2018 18:43:27 +0000 (-0600) Subject: eve/alert: use eve-level xff config by default X-Git-Tag: suricata-4.1.0-rc1~86 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0d51ebc71a46a507df28bb307bee49d32e708af1;p=thirdparty%2Fsuricata.git eve/alert: use eve-level xff config by default The alert section can still have an xff configuration which will take priority over the eve level xff config. --- diff --git a/src/output-json-alert.c b/src/output-json-alert.c index 9233e6310d..c0f1e7515d 100644 --- a/src/output-json-alert.c +++ b/src/output-json-alert.c @@ -103,6 +103,7 @@ typedef struct AlertJsonOutputCtx_ { uint16_t flags; uint32_t payload_buffer_size; HttpXFFCfg *xff_cfg; + HttpXFFCfg *parent_xff_cfg; bool include_metadata; } AlertJsonOutputCtx; @@ -589,7 +590,8 @@ static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p) json_object_set_new(hjs, "rule", json_string(pa->s->sig_str)); } - HttpXFFCfg *xff_cfg = json_output_ctx->xff_cfg; + HttpXFFCfg *xff_cfg = json_output_ctx->xff_cfg != NULL ? + json_output_ctx->xff_cfg : json_output_ctx->parent_xff_cfg;; /* xff header */ if ((xff_cfg != NULL) && !(xff_cfg->flags & XFF_DISABLED) && p->flow != NULL) { @@ -899,21 +901,16 @@ static void JsonAlertLogSetupMetadata(AlertJsonOutputCtx *json_output_ctx, json_output_ctx->flags |= flags; } -static void JsonAlertLogSetupXff(AlertJsonOutputCtx *json_output_ctx, - ConfNode *conf) +static HttpXFFCfg *JsonAlertLogGetXffCfg(ConfNode *conf) { HttpXFFCfg *xff_cfg = NULL; - - xff_cfg = SCMalloc(sizeof(HttpXFFCfg)); - if (unlikely(xff_cfg == NULL)) { - return; - } - memset(xff_cfg, 0, sizeof(HttpXFFCfg)); - json_output_ctx->xff_cfg = xff_cfg; - - if (conf != NULL) { - HttpXFFGetCfg(conf, xff_cfg); + if (conf != NULL && ConfNodeLookupChild(conf, "xff") != NULL) { + xff_cfg = SCCalloc(1, sizeof(HttpXFFCfg)); + if (likely(xff_cfg != NULL)) { + HttpXFFGetCfg(conf, xff_cfg); + } } + return xff_cfg; } /** @@ -953,7 +950,7 @@ static OutputInitResult JsonAlertLogInitCtx(ConfNode *conf) json_output_ctx->file_ctx = logfile_ctx; JsonAlertLogSetupMetadata(json_output_ctx, conf); - JsonAlertLogSetupXff(json_output_ctx, conf); + json_output_ctx->xff_cfg = JsonAlertLogGetXffCfg(conf); output_ctx->data = json_output_ctx; output_ctx->DeInit = JsonAlertLogDeInitCtx; @@ -988,7 +985,10 @@ static OutputInitResult JsonAlertLogInitCtxSub(ConfNode *conf, OutputCtx *parent json_output_ctx->include_metadata = ajt->include_metadata; JsonAlertLogSetupMetadata(json_output_ctx, conf); - JsonAlertLogSetupXff(json_output_ctx, conf); + json_output_ctx->xff_cfg = JsonAlertLogGetXffCfg(conf); + if (json_output_ctx->xff_cfg == NULL) { + json_output_ctx->parent_xff_cfg = ajt->xff_cfg; + } output_ctx->data = json_output_ctx; output_ctx->DeInit = JsonAlertLogDeInitCtxSub; diff --git a/suricata.yaml.in b/suricata.yaml.in index 37d23931e6..47922e9687 100644 --- a/suricata.yaml.in +++ b/suricata.yaml.in @@ -203,24 +203,6 @@ outputs: # Enable the logging of tagged packets for rules using the # "tag" keyword. tagged-packets: yes - - # HTTP X-Forwarded-For support by adding an extra field or overwriting - # the source or destination IP address (depending on flow direction) - # with the one reported in the X-Forwarded-For HTTP header. This is - # helpful when reviewing alerts for traffic that is being reverse - # or forward proxied. - xff: - enabled: no - # Two operation modes are available, "extra-data" and "overwrite". - mode: extra-data - # Two proxy deployments are supported, "reverse" and "forward". In - # a "reverse" deployment the IP address used is the last one, in a - # "forward" deployment the first IP address is used. - deployment: reverse - # Header name where the actual IP address will be reported, if more - # than one IP address is present, the last IP address will be the - # one taken into consideration. - header: X-Forwarded-For - http: extended: yes # enable this for extended logging information # custom allows additional http fields to be included in eve-log