/* overwrite mode can only work per u2 block, not per individual
* alert. So we'll look for an XFF record once */
- if ((xff_cfg->mode & XFF_OVERWRITE) && p->flow != NULL) {
+ if ((xff_cfg->flags & XFF_OVERWRITE) && p->flow != NULL) {
char buffer[XFF_MAXLEN];
int have_xff_ip = 0;
HttpXFFCfg *xff_cfg = aun->unified2alert_ctx->xff_cfg;
- if ((xff_cfg->mode & XFF_EXTRADATA) && p->flow != NULL) {
+ if ((xff_cfg->flags & XFF_EXTRADATA) && p->flow != NULL) {
char buffer[XFF_MAXLEN];
int have_xff_ip = 0;
HttpXFFCfg *xff_cfg = aun->unified2alert_ctx->xff_cfg;
- if ((xff_cfg->mode & XFF_EXTRADATA) && p->flow != NULL) {
+ if ((xff_cfg->flags & XFF_EXTRADATA) && p->flow != NULL) {
char buffer[XFF_MAXLEN];
int have_xff_ip = 0;
const char *xff_mode = ConfNodeLookupChildValue(xff_node, "mode");
if (xff_mode != NULL && strcasecmp(xff_mode, "overwrite") == 0) {
- result->mode |= XFF_OVERWRITE;
+ result->flags |= XFF_OVERWRITE;
} else {
if (xff_mode == NULL) {
SCLogWarning(SC_WARN_XFF_INVALID_MODE, "The XFF mode hasn't been defined, falling back to extra-data mode");
SCLogWarning(SC_WARN_XFF_INVALID_MODE, "The XFF mode %s is invalid, falling back to extra-data mode",
xff_mode);
}
- result->mode |= XFF_EXTRADATA;
+ result->flags |= XFF_EXTRADATA;
+ }
+
+ const char *xff_deployment = ConfNodeLookupChildValue(xff_node, "deployment");
+
+ if (xff_deployment != NULL && strcasecmp(xff_deployment, "forward") == 0) {
+ result->flags |= XFF_FORWARD;
+ } else {
+ if (xff_deployment == NULL) {
+ SCLogWarning(SC_WARN_XFF_INVALID_DEPLOYMENT, "The XFF deployment hasn't been defined, falling back to reverse proxy deployment");
+ }
+ else if (strcasecmp(xff_deployment, "reverse") != 0) {
+ SCLogWarning(SC_WARN_XFF_INVALID_DEPLOYMENT, "The XFF mode %s is invalid, falling back to reverse proxy deployment",
+ xff_deployment);
+ }
+ result->flags |= XFF_REVERSE;
}
const char *xff_header = ConfNodeLookupChildValue(xff_node, "header");
}
}
else {
- result->mode = XFF_DISABLED;
+ result->flags = XFF_DISABLED;
}
}
#define XFF_EXTRADATA 2
/** XFF overwrite mode */
#define XFF_OVERWRITE 4
+/** XFF is to be used in a reverse proxy deployment */
+#define XFF_REVERSE 8
+/** XFF is to be used in a forward proxy deployment */
+#define XFF_FORWARD 16
/** Single XFF IP maximum length (default value based on IPv6 address length) */
#define XFF_MAXLEN 46
typedef struct HttpXFFCfg_ {
- uint8_t mode; /**< XFF operation mode */
+ uint8_t flags; /**< XFF operation mode and deployment */
char *header; /**< XFF header name */
} HttpXFFCfg;
HttpXFFCfg *xff_cfg = json_output_ctx->xff_cfg;
/* xff header */
- if (!(xff_cfg->mode & XFF_DISABLED) && p->flow != NULL) {
+ if (!(xff_cfg->flags & XFF_DISABLED) && p->flow != NULL) {
int have_xff_ip = 0;
char buffer[XFF_MAXLEN];
FLOWLOCK_UNLOCK(p->flow);
if (have_xff_ip) {
- if (xff_cfg->mode & XFF_EXTRADATA) {
+ if (xff_cfg->flags & XFF_EXTRADATA) {
json_object_set_new(js, "xff", json_string(buffer));
}
- else if (xff_cfg->mode & XFF_OVERWRITE) {
+ else if (xff_cfg->flags & XFF_OVERWRITE) {
if (p->flowflags & FLOW_PKT_TOCLIENT) {
json_object_set(js, "dest_ip", json_string(buffer));
} else {
CASE_CODE (SC_ERR_THREAD_QUEUE);
CASE_CODE (SC_WARN_XFF_INVALID_MODE);
CASE_CODE (SC_WARN_XFF_INVALID_HEADER);
+ CASE_CODE (SC_WARN_XFF_INVALID_DEPLOYMENT);
CASE_CODE (SC_ERR_THRESHOLD_SETUP);
CASE_CODE (SC_ERR_DNS_CONFIG);
CASE_CODE (SC_ERR_MODBUS_CONFIG);
SC_ERR_THREAD_QUEUE,
SC_WARN_XFF_INVALID_MODE,
SC_WARN_XFF_INVALID_HEADER,
+ SC_WARN_XFF_INVALID_DEPLOYMENT,
SC_ERR_THRESHOLD_SETUP,
SC_ERR_DNS_CONFIG,
SC_ERR_MODBUS_CONFIG,
# HTTP X-Forwarded-For support by adding an extra field or overwriting
# the source or destination IP address (depending on flow direction)
# with the one reported in the X-Forwarded-For HTTP header. This is
- # helpful when reviewing alerts for traffic that is being reversed
- # proxied.
+ # helpful when reviewing alerts for traffic that is being reverse
+ # or forward proxied.
xff:
enabled: no
# Two operation modes are available, "extra-data" and "overwrite".
mode: extra-data
+ # Two proxy deployments are supported, "reverse" and "forward". In
+ # a "reverse" deployment the IP address used is the last one, in a
+ # "forward" deployment the first IP address is used.
+ deployment: reverse
# Header name where the actual IP address will be reported, if more
# than one IP address is present, the last IP address will be the
# one taken into consideration.
# HTTP X-Forwarded-For support by adding the unified2 extra header or
# overwriting the source or destination IP address (depending on flow
# direction) with the one reported in the X-Forwarded-For HTTP header.
- # This is helpful when reviewing alerts for traffic that is being reversed
- # proxied.
+ # This is helpful when reviewing alerts for traffic that is being reverse
+ # or forward proxied.
xff:
enabled: no
# Two operation modes are available, "extra-data" and "overwrite". Note
# X-Forwarded-For header is of a different version of the packet
# received, it will fall-back to "extra-data" mode.
mode: extra-data
+ # Two proxy deployments are supported, "reverse" and "forward". In
+ # a "reverse" deployment the IP address used is the last one, in a
+ # "forward" deployment the first IP address is used.
+ deployment: reverse
# Header name where the actual IP address will be reported, if more
# than one IP address is present, the last IP address will be the
# one taken into consideration.
projects / thirdparty / suricata.git / commitdiff
