aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

eve/alert: use eve-level xff config by default

Browse Source 
The alert section can still have an xff configuration which
will take priority over the eve level xff config.
pull/3370/head
Jason Ish 7 years ago committed by Victor Julien
parent e3645bd9ae
commit 0d51ebc71a
2 changed files with 15 additions and 33 deletions
Show Stats Download Patch File Download Diff File

30
src/output-json-alert.c
Unescape Escape View File

@ -103,6 +103,7 @@ typedef struct AlertJsonOutputCtx_ {
uint16_t flags;
uint32_t payload_buffer_size;
HttpXFFCfg *xff_cfg;
HttpXFFCfg *parent_xff_cfg;
bool include_metadata;
} AlertJsonOutputCtx;
@ -589,7 +590,8 @@ static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
json_object_set_new(hjs, "rule", json_string(pa->s->sig_str));
}
HttpXFFCfg *xff_cfg = json_output_ctx->xff_cfg;
HttpXFFCfg *xff_cfg = json_output_ctx->xff_cfg != NULL ?
json_output_ctx->xff_cfg : json_output_ctx->parent_xff_cfg;;
/* xff header */
if ((xff_cfg != NULL) && !(xff_cfg->flags & XFF_DISABLED) && p->flow != NULL) {
@ -899,21 +901,16 @@ static void JsonAlertLogSetupMetadata(AlertJsonOutputCtx *json_output_ctx,
json_output_ctx->flags |= flags;
}
static void JsonAlertLogSetupXff(AlertJsonOutputCtx *json_output_ctx,
ConfNode *conf)
static HttpXFFCfg *JsonAlertLogGetXffCfg(ConfNode *conf)
{
HttpXFFCfg *xff_cfg = NULL;
xff_cfg = SCMalloc(sizeof(HttpXFFCfg));
if (unlikely(xff_cfg == NULL)) {
return;
}
memset(xff_cfg, 0, sizeof(HttpXFFCfg));
json_output_ctx->xff_cfg = xff_cfg;
if (conf != NULL) {
HttpXFFGetCfg(conf, xff_cfg);
if (conf != NULL && ConfNodeLookupChild(conf, "xff") != NULL) {
xff_cfg = SCCalloc(1, sizeof(HttpXFFCfg));
if (likely(xff_cfg != NULL)) {
HttpXFFGetCfg(conf, xff_cfg);
}
}
return xff_cfg;
}
/**
@ -953,7 +950,7 @@ static OutputInitResult JsonAlertLogInitCtx(ConfNode *conf)
json_output_ctx->file_ctx = logfile_ctx;
JsonAlertLogSetupMetadata(json_output_ctx, conf);
JsonAlertLogSetupXff(json_output_ctx, conf);
json_output_ctx->xff_cfg = JsonAlertLogGetXffCfg(conf);
output_ctx->data = json_output_ctx;
output_ctx->DeInit = JsonAlertLogDeInitCtx;
@ -988,7 +985,10 @@ static OutputInitResult JsonAlertLogInitCtxSub(ConfNode *conf, OutputCtx *parent
json_output_ctx->include_metadata = ajt->include_metadata;
JsonAlertLogSetupMetadata(json_output_ctx, conf);
JsonAlertLogSetupXff(json_output_ctx, conf);
json_output_ctx->xff_cfg = JsonAlertLogGetXffCfg(conf);
if (json_output_ctx->xff_cfg == NULL) {
json_output_ctx->parent_xff_cfg = ajt->xff_cfg;
}
output_ctx->data = json_output_ctx;
output_ctx->DeInit = JsonAlertLogDeInitCtxSub;

18
suricata.yaml.in
Unescape Escape View File

@ -203,24 +203,6 @@ outputs:
# Enable the logging of tagged packets for rules using the
# "tag" keyword.
tagged-packets: yes
# HTTP X-Forwarded-For support by adding an extra field or overwriting
# the source or destination IP address (depending on flow direction)
# with the one reported in the X-Forwarded-For HTTP header. This is
# helpful when reviewing alerts for traffic that is being reverse
# or forward proxied.
xff:
enabled: no
# Two operation modes are available, "extra-data" and "overwrite".
mode: extra-data
# Two proxy deployments are supported, "reverse" and "forward". In
# a "reverse" deployment the IP address used is the last one, in a
# "forward" deployment the first IP address is used.
deployment: reverse
# Header name where the actual IP address will be reported, if more
# than one IP address is present, the last IP address will be the
# one taken into consideration.
header: X-Forwarded-For
- http:
extended: yes # enable this for extended logging information
# custom allows additional http fields to be included in eve-log

Write Preview
Loading…
Cancel
Save