From: Jason Ish Date: Thu, 3 May 2018 15:36:34 +0000 (-0600) Subject: eve/files: use eve-level xff config by default X-Git-Tag: suricata-4.1.0-rc1~89 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=36ec1281b20e83c2c7569ec8ec9d5d32c750cbb7;p=thirdparty%2Fsuricata.git eve/files: use eve-level xff config by default The files section can still have an xff configuration which will take priority over the eve level xff config. --- diff --git a/src/output-json-file.c b/src/output-json-file.c index c7a62b3417..56d3f56589 100644 --- a/src/output-json-file.c +++ b/src/output-json-file.c @@ -75,6 +75,7 @@ typedef struct OutputFileCtx_ { LogFileCtx *file_ctx; uint32_t file_cnt; HttpXFFCfg *xff_cfg; + HttpXFFCfg *parent_xff_cfg; } OutputFileCtx; typedef struct JsonFileLogThread_ { @@ -243,7 +244,8 @@ json_t *JsonBuildFileInfoRecord(const Packet *p, const File *ff, static void FileWriteJsonRecord(JsonFileLogThread *aft, const Packet *p, const File *ff, uint32_t dir) { - HttpXFFCfg *xff_cfg = aft->filelog_ctx->xff_cfg; + HttpXFFCfg *xff_cfg = aft->filelog_ctx->xff_cfg != NULL ? + aft->filelog_ctx->xff_cfg : aft->filelog_ctx->parent_xff_cfg;; json_t *js = JsonBuildFileInfoRecord(p, ff, ff->flags & FILE_STORED ? true : false, dir, xff_cfg); if (unlikely(js == NULL)) { @@ -332,7 +334,7 @@ static OutputInitResult OutputFileLogInitSub(ConfNode *conf, OutputCtx *parent_c OutputInitResult result = { NULL, false }; OutputJsonCtx *ojc = parent_ctx->data; - OutputFileCtx *output_file_ctx = SCMalloc(sizeof(OutputFileCtx)); + OutputFileCtx *output_file_ctx = SCCalloc(1, sizeof(OutputFileCtx)); if (unlikely(output_file_ctx == NULL)) return result; @@ -359,9 +361,14 @@ static OutputInitResult OutputFileLogInitSub(ConfNode *conf, OutputCtx *parent_c FileForceHashParseCfg(conf); } - output_file_ctx->xff_cfg = SCCalloc(1, sizeof(HttpXFFCfg)); - if (output_file_ctx->xff_cfg != NULL) { - HttpXFFGetCfg(conf, output_file_ctx->xff_cfg); + + if (conf != NULL && ConfNodeLookupChild(conf, "xff") != NULL) { + output_file_ctx->xff_cfg = SCCalloc(1, sizeof(HttpXFFCfg)); + if (output_file_ctx->xff_cfg != NULL) { + HttpXFFGetCfg(conf, output_file_ctx->xff_cfg); + } + } else if (ojc->xff_cfg) { + output_file_ctx->parent_xff_cfg = ojc->xff_cfg; } output_ctx->data = output_file_ctx; diff --git a/suricata.yaml.in b/suricata.yaml.in index d43a1c4b96..37d23931e6 100644 --- a/suricata.yaml.in +++ b/suricata.yaml.in @@ -269,23 +269,6 @@ outputs: # force logging of checksums, available hash functions are md5, # sha1 and sha256 #force-hash: [md5] - # HTTP X-Forwarded-For support by adding an extra field or overwriting - # the source or destination IP address (depending on flow direction) - # with the one reported in the X-Forwarded-For HTTP header. This is - # helpful when reviewing alerts for traffic that is being reverse - # or forward proxied. - xff: - enabled: no - # Two operation modes are available, "extra-data" and "overwrite". - mode: extra-data - # Two proxy deployments are supported, "reverse" and "forward". In - # a "reverse" deployment the IP address used is the last one, in a - # "forward" deployment the first IP address is used. - deployment: reverse - # Header name where the actual IP address will be reported, if more - # than one IP address is present, the last IP address will be the - # one taken into consideration. - header: X-Forwarded-For #- drop: # alerts: yes # log alerts that caused drops # flows: all # start or all: 'start' logs only a single drop