From 6607ee8489f925c0ba918bfe0952124fd5cf2596 Mon Sep 17 00:00:00 2001 From: Jason Ish Date: Thu, 3 May 2018 09:31:53 -0600 Subject: [PATCH] eve/http: use eve-level xff config by default The http section can still have an xff configuration which will take priority over the eve level xff config. --- src/output-json-http.c | 17 ++++++++++++----- suricata.yaml.in | 17 ----------------- 2 files changed, 12 insertions(+), 22 deletions(-) diff --git a/src/output-json-http.c b/src/output-json-http.c index 47add0a0fe..3c1560cfdc 100644 --- a/src/output-json-http.c +++ b/src/output-json-http.c @@ -61,6 +61,7 @@ typedef struct LogHttpFileCtx_ { uint64_t fields;/** Store fields */ bool include_metadata; HttpXFFCfg *xff_cfg; + HttpXFFCfg *parent_xff_cfg; } LogHttpFileCtx; typedef struct JsonHttpLogThread_ { @@ -468,7 +469,8 @@ static int JsonHttpLogger(ThreadVars *tv, void *thread_data, const Packet *p, Fl MemBufferReset(jhl->buffer); JsonHttpLogJSON(jhl, js, tx, tx_id); - HttpXFFCfg *xff_cfg = jhl->httplog_ctx->xff_cfg; + HttpXFFCfg *xff_cfg = jhl->httplog_ctx->xff_cfg != NULL ? + jhl->httplog_ctx->xff_cfg : jhl->httplog_ctx->parent_xff_cfg; /* xff header */ if ((xff_cfg != NULL) && !(xff_cfg->flags & XFF_DISABLED) && p->flow != NULL) { @@ -603,7 +605,7 @@ static OutputInitResult OutputHttpLogInitSub(ConfNode *conf, OutputCtx *parent_c OutputInitResult result = { NULL, false }; OutputJsonCtx *ojc = parent_ctx->data; - LogHttpFileCtx *http_ctx = SCMalloc(sizeof(LogHttpFileCtx)); + LogHttpFileCtx *http_ctx = SCCalloc(1, sizeof(LogHttpFileCtx)); if (unlikely(http_ctx == NULL)) return result; memset(http_ctx, 0x00, sizeof(*http_ctx)); @@ -650,9 +652,14 @@ static OutputInitResult OutputHttpLogInitSub(ConfNode *conf, OutputCtx *parent_c } } } - http_ctx->xff_cfg = SCCalloc(1, sizeof(HttpXFFCfg)); - if (http_ctx->xff_cfg != NULL) { - HttpXFFGetCfg(conf, http_ctx->xff_cfg); + + if (conf != NULL && ConfNodeLookupChild(conf, "xff") != NULL) { + http_ctx->xff_cfg = SCCalloc(1, sizeof(HttpXFFCfg)); + if (http_ctx->xff_cfg != NULL) { + HttpXFFGetCfg(conf, http_ctx->xff_cfg); + } + } else if (ojc->xff_cfg) { + http_ctx->parent_xff_cfg = ojc->xff_cfg; } output_ctx->data = http_ctx; diff --git a/suricata.yaml.in b/suricata.yaml.in index 2041c7b063..d43a1c4b96 100644 --- a/suricata.yaml.in +++ b/suricata.yaml.in @@ -226,23 +226,6 @@ outputs: # custom allows additional http fields to be included in eve-log # the example below adds three additional fields when uncommented #custom: [Accept-Encoding, Accept-Language, Authorization] - # HTTP X-Forwarded-For support by adding an extra field or overwriting - # the source or destination IP address (depending on flow direction) - # with the one reported in the X-Forwarded-For HTTP header. This is - # helpful when reviewing alerts for traffic that is being reverse - # or forward proxied. - xff: - enabled: no - # Two operation modes are available, "extra-data" and "overwrite". - mode: extra-data - # Two proxy deployments are supported, "reverse" and "forward". In - # a "reverse" deployment the IP address used is the last one, in a - # "forward" deployment the first IP address is used. - deployment: reverse - # Header name where the actual IP address will be reported, if more - # than one IP address is present, the last IP address will be the - # one taken into consideration. - header: X-Forwarded-For - dns: # This configuration uses the new DNS logging format, # the old configuration is still available: