diff --git a/src/alert-unified2-alert.c b/src/alert-unified2-alert.c index 14432d46a8..4bfea39770 100644 --- a/src/alert-unified2-alert.c +++ b/src/alert-unified2-alert.c @@ -342,7 +342,7 @@ int Unified2Logger(ThreadVars *t, void *data, const Packet *p) FLOWLOCK_RDLOCK(p->flow); if (FlowGetAppProtocol(p->flow) == ALPROTO_HTTP) { - have_xff_ip = HttpXFFGetIP(p, xff_cfg->header, buffer, XFF_MAXLEN); + have_xff_ip = HttpXFFGetIP(p, xff_cfg, buffer, XFF_MAXLEN); } FLOWLOCK_UNLOCK(p->flow); @@ -903,9 +903,9 @@ static int Unified2IPv6TypeAlert(ThreadVars *t, const Packet *p, void *data) FLOWLOCK_RDLOCK(p->flow); if (FlowGetAppProtocol(p->flow) == ALPROTO_HTTP) { if (pa->flags & PACKET_ALERT_FLAG_TX) { - have_xff_ip = HttpXFFGetIPFromTx(p, pa->tx_id, xff_cfg->header, buffer, XFF_MAXLEN); + have_xff_ip = HttpXFFGetIPFromTx(p, pa->tx_id, xff_cfg, buffer, XFF_MAXLEN); } else { - have_xff_ip = HttpXFFGetIP(p, xff_cfg->header, buffer, XFF_MAXLEN); + have_xff_ip = HttpXFFGetIP(p, xff_cfg, buffer, XFF_MAXLEN); } } FLOWLOCK_UNLOCK(p->flow); @@ -1080,9 +1080,9 @@ static int Unified2IPv4TypeAlert (ThreadVars *tv, const Packet *p, void *data) FLOWLOCK_RDLOCK(p->flow); if (FlowGetAppProtocol(p->flow) == ALPROTO_HTTP) { if (pa->flags & PACKET_ALERT_FLAG_TX) { - have_xff_ip = HttpXFFGetIPFromTx(p, pa->tx_id, xff_cfg->header, buffer, XFF_MAXLEN); + have_xff_ip = HttpXFFGetIPFromTx(p, pa->tx_id, xff_cfg, buffer, XFF_MAXLEN); } else { - have_xff_ip = HttpXFFGetIP(p, xff_cfg->header, buffer, XFF_MAXLEN); + have_xff_ip = HttpXFFGetIP(p, xff_cfg, buffer, XFF_MAXLEN); } } FLOWLOCK_UNLOCK(p->flow); diff --git a/src/app-layer-htp-xff.c b/src/app-layer-htp-xff.c index 2d931daeb3..9337ba18f7 100644 --- a/src/app-layer-htp-xff.c +++ b/src/app-layer-htp-xff.c @@ -44,13 +44,14 @@ * \retval 1 if the IP has been found and returned in dstbuf * \retval 0 if the IP has not being found or error */ -int HttpXFFGetIPFromTx(const Packet *p, uint64_t tx_id, char *xff_header, char *dstbuf, - int dstbuflen) +int HttpXFFGetIPFromTx(const Packet *p, uint64_t tx_id, HttpXFFCfg *xff_cfg, + char *dstbuf, int dstbuflen) { uint8_t xff_chain[XFF_CHAIN_MAXLEN]; HtpState *htp_state = NULL; htp_tx_t *tx = NULL; uint64_t total_txs = 0; + uint8_t *p_xff = NULL; htp_state = (HtpState *)FlowGetAppState(p->flow); @@ -71,7 +72,7 @@ int HttpXFFGetIPFromTx(const Packet *p, uint64_t tx_id, char *xff_header, char * htp_header_t *h_xff = NULL; if (tx->request_headers != NULL) { - h_xff = htp_table_get_c(tx->request_headers, xff_header); + h_xff = htp_table_get_c(tx->request_headers, xff_cfg->header); } if (h_xff != NULL && bstr_len(h_xff->value) >= XFF_CHAIN_MINLEN && @@ -79,12 +80,23 @@ int HttpXFFGetIPFromTx(const Packet *p, uint64_t tx_id, char *xff_header, char * memcpy(xff_chain, bstr_ptr(h_xff->value), bstr_len(h_xff->value)); xff_chain[bstr_len(h_xff->value)]=0; - /** Check for chained IP's separated by ", ", we will get the last one */ - uint8_t *p_xff = memrchr(xff_chain, ' ', bstr_len(h_xff->value)); - if (p_xff == NULL) { + + if (xff_cfg->flags & XFF_REVERSE) { + /** Get the last IP address from the chain */ + p_xff = memrchr(xff_chain, ' ', bstr_len(h_xff->value)); + if (p_xff == NULL) { + p_xff = xff_chain; + } else { + p_xff++; + } + } + else { + /** Get the first IP address from the chain */ + p_xff = memchr(xff_chain, ',', bstr_len(h_xff->value)); + if (p_xff != NULL) { + xff_chain[bstr_len(h_xff->value) - strlen((char *)p_xff)]=0; + } p_xff = xff_chain; - } else { - p_xff++; } /** Sanity check on extracted IP for IPv4 and IPv6 */ uint32_t ip[4]; @@ -102,7 +114,7 @@ int HttpXFFGetIPFromTx(const Packet *p, uint64_t tx_id, char *xff_header, char * * \retval 1 if the IP has been found and returned in dstbuf * \retval 0 if the IP has not being found or error */ -int HttpXFFGetIP(const Packet *p, char *xff_header, char *dstbuf, int dstbuflen) +int HttpXFFGetIP(const Packet *p, HttpXFFCfg *xff_cfg, char *dstbuf, int dstbuflen) { HtpState *htp_state = NULL; uint64_t tx_id = 0; @@ -116,7 +128,7 @@ int HttpXFFGetIP(const Packet *p, char *xff_header, char *dstbuf, int dstbuflen) total_txs = AppLayerParserGetTxCnt(p->flow->proto, ALPROTO_HTTP, htp_state); for (; tx_id < total_txs; tx_id++) { - if (HttpXFFGetIPFromTx(p, tx_id, xff_header, dstbuf, dstbuflen) == 1) + if (HttpXFFGetIPFromTx(p, tx_id, xff_cfg, dstbuf, dstbuflen) == 1) return 1; } diff --git a/src/app-layer-htp-xff.h b/src/app-layer-htp-xff.h index 5ef20125d5..ad4eb8acda 100644 --- a/src/app-layer-htp-xff.h +++ b/src/app-layer-htp-xff.h @@ -45,8 +45,8 @@ typedef struct HttpXFFCfg_ { void HttpXFFGetCfg(ConfNode *conf, HttpXFFCfg *result); -int HttpXFFGetIPFromTx(const Packet *p, uint64_t tx_id, char *xff_header, char *dstbuf, int dstbuflen); +int HttpXFFGetIPFromTx(const Packet *p, uint64_t tx_id, HttpXFFCfg *xff_cfg, char *dstbuf, int dstbuflen); -int HttpXFFGetIP(const Packet *p, char *xff_header, char *dstbuf, int dstbuflen); +int HttpXFFGetIP(const Packet *p, HttpXFFCfg *xff_cfg, char *dstbuf, int dstbuflen); #endif /* __APP_LAYER_HTP_XFF_H__ */ diff --git a/src/output-json-alert.c b/src/output-json-alert.c index 4a07f60eae..ed6b3b4373 100644 --- a/src/output-json-alert.c +++ b/src/output-json-alert.c @@ -263,9 +263,9 @@ static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p) FLOWLOCK_RDLOCK(p->flow); if (FlowGetAppProtocol(p->flow) == ALPROTO_HTTP) { if (pa->flags & PACKET_ALERT_FLAG_TX) { - have_xff_ip = HttpXFFGetIPFromTx(p, pa->tx_id, xff_cfg->header, buffer, XFF_MAXLEN); + have_xff_ip = HttpXFFGetIPFromTx(p, pa->tx_id, xff_cfg, buffer, XFF_MAXLEN); } else { - have_xff_ip = HttpXFFGetIP(p, xff_cfg->header, buffer, XFF_MAXLEN); + have_xff_ip = HttpXFFGetIP(p, xff_cfg, buffer, XFF_MAXLEN); } } FLOWLOCK_UNLOCK(p->flow);