From: Jason Ish <ish@unx.ca>
Date: Thu, 3 May 2018 15:27:53 +0000 (-0600)
Subject: eve: use eve-level xff configuration
X-Git-Tag: suricata-4.1.0-rc1~91
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=576584152c8b9c0a85b4490ecbbfc5ea3d5f6a40;p=thirdparty%2Fsuricata.git

eve: use eve-level xff configuration

If an "xff" configuration section exists on the eve object,
parse and save it for child loggers to use.
---

diff --git a/src/output-json.c b/src/output-json.c
index a4b31594b9..485ea58517 100644
--- a/src/output-json.c
+++ b/src/output-json.c
@@ -854,6 +854,15 @@ OutputInitResult OutputJsonInitCtx(ConfNode *conf)
             json_ctx->include_metadata = true;
         }
 
+        /* Do we have a global eve xff configuration? */
+        const ConfNode *xff = ConfNodeLookupChild(conf, "xff");
+        if (xff != NULL) {
+            json_ctx->xff_cfg = SCCalloc(1, sizeof(HttpXFFCfg));
+            if (likely(json_ctx->xff_cfg != NULL)) {
+                HttpXFFGetCfg(conf, json_ctx->xff_cfg);
+            }
+        }
+
         const char *pcapfile_s = ConfNodeLookupChildValue(conf, "pcap-file");
         if (pcapfile_s != NULL && ConfValIsTrue(pcapfile_s)) {
             json_ctx->file_ctx->is_pcap_offline =
@@ -880,6 +889,9 @@ static void OutputJsonDeInitCtx(OutputCtx *output_ctx)
                 "%"PRIu64" events were dropped due to slow or "
                 "disconnected socket", logfile_ctx->dropped);
     }
+    if (json_ctx->xff_cfg != NULL) {
+        SCFree(json_ctx->xff_cfg);
+    }
     LogFileFreeCtx(logfile_ctx);
     SCFree(json_ctx);
     SCFree(output_ctx);
diff --git a/src/output-json.h b/src/output-json.h
index ff3870f39d..06d94df38d 100644
--- a/src/output-json.h
+++ b/src/output-json.h
@@ -29,6 +29,8 @@
 #include "util-logopenfile.h"
 #include "output.h"
 
+#include "app-layer-htp-xff.h"
+
 void OutputJsonRegister(void);
 
 #ifdef HAVE_LIBJANSSON
@@ -66,6 +68,7 @@ typedef struct OutputJsonCtx_ {
     LogFileCtx *file_ctx;
     enum LogFileType json_out;
     bool include_metadata;
+    HttpXFFCfg *xff_cfg;
 } OutputJsonCtx;
 
 json_t *SCJsonBool(int val);
diff --git a/suricata.yaml.in b/suricata.yaml.in
index d09c8aeac3..2041c7b063 100644
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@@ -173,6 +173,24 @@ outputs:
 
       pcap-file: false
 
+      # HTTP X-Forwarded-For support by adding an extra field or overwriting
+      # the source or destination IP address (depending on flow direction)
+      # with the one reported in the X-Forwarded-For HTTP header. This is
+      # helpful when reviewing alerts for traffic that is being reverse
+      # or forward proxied.
+      xff:
+        enabled: no
+        # Two operation modes are available, "extra-data" and "overwrite".
+        mode: extra-data
+        # Two proxy deployments are supported, "reverse" and "forward". In
+        # a "reverse" deployment the IP address used is the last one, in a
+        # "forward" deployment the first IP address is used.
+        deployment: reverse
+        # Header name where the actual IP address will be reported, if more
+        # than one IP address is present, the last IP address will be the
+        # one taken into consideration.
+        header: X-Forwarded-For
+
       types:
         - alert:
             # payload: yes             # enable dumping payload in Base64