aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Implemented the diferent behaviour depending on the proxy deployment

Browse Source 
- In forward deployment mode the first IP will be returned
- In reverse deployment mode the last IP will be retuned
pull/1265/merge
Duarte Silva 11 years ago committed by Victor Julien
parent 496200dd08
commit 68f43ffffb
4 changed files with 31 additions and 19 deletions
Show Stats Download Patch File Download Diff File

10
src/alert-unified2-alert.c
Unescape Escape View File

@ -342,7 +342,7 @@ int Unified2Logger(ThreadVars *t, void *data, const Packet *p)
FLOWLOCK_RDLOCK(p->flow);
if (FlowGetAppProtocol(p->flow) == ALPROTO_HTTP) {
have_xff_ip = HttpXFFGetIP(p, xff_cfg->header, buffer, XFF_MAXLEN);
have_xff_ip = HttpXFFGetIP(p, xff_cfg, buffer, XFF_MAXLEN);
}
FLOWLOCK_UNLOCK(p->flow);
@ -903,9 +903,9 @@ static int Unified2IPv6TypeAlert(ThreadVars *t, const Packet *p, void *data)
FLOWLOCK_RDLOCK(p->flow);
if (FlowGetAppProtocol(p->flow) == ALPROTO_HTTP) {
if (pa->flags & PACKET_ALERT_FLAG_TX) {
have_xff_ip = HttpXFFGetIPFromTx(p, pa->tx_id, xff_cfg->header, buffer, XFF_MAXLEN);
have_xff_ip = HttpXFFGetIPFromTx(p, pa->tx_id, xff_cfg, buffer, XFF_MAXLEN);
} else {
have_xff_ip = HttpXFFGetIP(p, xff_cfg->header, buffer, XFF_MAXLEN);
have_xff_ip = HttpXFFGetIP(p, xff_cfg, buffer, XFF_MAXLEN);
}
}
FLOWLOCK_UNLOCK(p->flow);
@ -1080,9 +1080,9 @@ static int Unified2IPv4TypeAlert (ThreadVars *tv, const Packet *p, void *data)
FLOWLOCK_RDLOCK(p->flow);
if (FlowGetAppProtocol(p->flow) == ALPROTO_HTTP) {
if (pa->flags & PACKET_ALERT_FLAG_TX) {
have_xff_ip = HttpXFFGetIPFromTx(p, pa->tx_id, xff_cfg->header, buffer, XFF_MAXLEN);
have_xff_ip = HttpXFFGetIPFromTx(p, pa->tx_id, xff_cfg, buffer, XFF_MAXLEN);
} else {
have_xff_ip = HttpXFFGetIP(p, xff_cfg->header, buffer, XFF_MAXLEN);
have_xff_ip = HttpXFFGetIP(p, xff_cfg, buffer, XFF_MAXLEN);
}
}
FLOWLOCK_UNLOCK(p->flow);

26
src/app-layer-htp-xff.c
Unescape Escape View File

@ -44,13 +44,14 @@
* \retval 1 if the IP has been found and returned in dstbuf
* \retval 0 if the IP has not being found or error
*/
int HttpXFFGetIPFromTx(const Packet *p, uint64_t tx_id, char *xff_header, char *dstbuf,
int dstbuflen)
int HttpXFFGetIPFromTx(const Packet *p, uint64_t tx_id, HttpXFFCfg *xff_cfg,
char *dstbuf, int dstbuflen)
{
uint8_t xff_chain[XFF_CHAIN_MAXLEN];
HtpState *htp_state = NULL;
htp_tx_t *tx = NULL;
uint64_t total_txs = 0;
uint8_t *p_xff = NULL;
htp_state = (HtpState *)FlowGetAppState(p->flow);
@ -71,7 +72,7 @@ int HttpXFFGetIPFromTx(const Packet *p, uint64_t tx_id, char *xff_header, char *
htp_header_t *h_xff = NULL;
if (tx->request_headers != NULL) {
h_xff = htp_table_get_c(tx->request_headers, xff_header);
h_xff = htp_table_get_c(tx->request_headers, xff_cfg->header);
}
if (h_xff != NULL && bstr_len(h_xff->value) >= XFF_CHAIN_MINLEN &&
@ -79,13 +80,24 @@ int HttpXFFGetIPFromTx(const Packet *p, uint64_t tx_id, char *xff_header, char *
memcpy(xff_chain, bstr_ptr(h_xff->value), bstr_len(h_xff->value));
xff_chain[bstr_len(h_xff->value)]=0;
/** Check for chained IP's separated by ", ", we will get the last one */
uint8_t *p_xff = memrchr(xff_chain, ' ', bstr_len(h_xff->value));
if (xff_cfg->flags & XFF_REVERSE) {
/** Get the last IP address from the chain */
p_xff = memrchr(xff_chain, ' ', bstr_len(h_xff->value));
if (p_xff == NULL) {
p_xff = xff_chain;
} else {
p_xff++;
}
}
else {
/** Get the first IP address from the chain */
p_xff = memchr(xff_chain, ',', bstr_len(h_xff->value));
if (p_xff != NULL) {
xff_chain[bstr_len(h_xff->value) - strlen((char *)p_xff)]=0;
}
p_xff = xff_chain;
}
/** Sanity check on extracted IP for IPv4 and IPv6 */
uint32_t ip[4];
if ( inet_pton(AF_INET, (char *)p_xff, ip ) == 1 ||
@ -102,7 +114,7 @@ int HttpXFFGetIPFromTx(const Packet *p, uint64_t tx_id, char *xff_header, char *
* \retval 1 if the IP has been found and returned in dstbuf
* \retval 0 if the IP has not being found or error
*/
int HttpXFFGetIP(const Packet *p, char *xff_header, char *dstbuf, int dstbuflen)
int HttpXFFGetIP(const Packet *p, HttpXFFCfg *xff_cfg, char *dstbuf, int dstbuflen)
{
HtpState *htp_state = NULL;
uint64_t tx_id = 0;
@ -116,7 +128,7 @@ int HttpXFFGetIP(const Packet *p, char *xff_header, char *dstbuf, int dstbuflen)
total_txs = AppLayerParserGetTxCnt(p->flow->proto, ALPROTO_HTTP, htp_state);
for (; tx_id < total_txs; tx_id++) {
if (HttpXFFGetIPFromTx(p, tx_id, xff_header, dstbuf, dstbuflen) == 1)
if (HttpXFFGetIPFromTx(p, tx_id, xff_cfg, dstbuf, dstbuflen) == 1)
return 1;
}

4
src/app-layer-htp-xff.h
Unescape Escape View File

@ -45,8 +45,8 @@ typedef struct HttpXFFCfg_ {
void HttpXFFGetCfg(ConfNode *conf, HttpXFFCfg *result);
int HttpXFFGetIPFromTx(const Packet *p, uint64_t tx_id, char *xff_header, char *dstbuf, int dstbuflen);
int HttpXFFGetIPFromTx(const Packet *p, uint64_t tx_id, HttpXFFCfg *xff_cfg, char *dstbuf, int dstbuflen);
int HttpXFFGetIP(const Packet *p, char *xff_header, char *dstbuf, int dstbuflen);
int HttpXFFGetIP(const Packet *p, HttpXFFCfg *xff_cfg, char *dstbuf, int dstbuflen);
#endif /* __APP_LAYER_HTP_XFF_H__ */

4
src/output-json-alert.c
Unescape Escape View File

@ -263,9 +263,9 @@ static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
FLOWLOCK_RDLOCK(p->flow);
if (FlowGetAppProtocol(p->flow) == ALPROTO_HTTP) {
if (pa->flags & PACKET_ALERT_FLAG_TX) {
have_xff_ip = HttpXFFGetIPFromTx(p, pa->tx_id, xff_cfg->header, buffer, XFF_MAXLEN);
have_xff_ip = HttpXFFGetIPFromTx(p, pa->tx_id, xff_cfg, buffer, XFF_MAXLEN);
} else {
have_xff_ip = HttpXFFGetIP(p, xff_cfg->header, buffer, XFF_MAXLEN);
have_xff_ip = HttpXFFGetIP(p, xff_cfg, buffer, XFF_MAXLEN);
}
}
FLOWLOCK_UNLOCK(p->flow);

Write Preview
Loading…
Cancel
Save