Hi , I’m setting up xff config like this, I tried set up “overwrite” to xff.mode. but the src_ip or flow.src_ip always be proxy server’ ip, not the xff ip in alert.json log file.
outputs:
- eve-log:
enabled: yes
filetype: regular
filename: alert.json
types:
- alert:
payload: no
payload-buffer-size: 4kb
payload-printable: yes
http-header: yes
http-body: no
http-body-printable: yes
tagged-packets: yes
metadata:
app-layer: true
flow: true
rule:
metadata: true
raw: false
xff:
enabled: yes
mode: overwrite
deployment: reverse
header: X-Forwarded-For,X-Real-IP
example log:
{
"alert": {
"action": "allowed",
"category": "Web Application Attack",
"gid": 1,
"rev": 1,
"severity": 1,
"signature": "Atlassian Confluence 凭证硬编码攻击(CVE-2022-26138)",
"signature_id": 1000030
},
"app_proto": "http",
"dest_ip": "10.x.x.x",
"dest_port": 8090,
"direction": "to_server",
"event_type": "alert",
"files": [{
"filename": "/dologin.action",
"gaps": false,
"size": 114,
"state": "CLOSED",
"stored": false,
"tx_id": 0
}],
"flow": {
"bytes_toclient": 1473,
"bytes_toserver": 694,
"dest_ip": "10.x.x.x",
"dest_port": 8090,
"pkts_toclient": 4,
"pkts_toserver": 4,
"src_ip": "10.x.x.x",
"src_port": 36282,
"start": "2024-06-24T11:19:42.223828+0800"
},
"flow_id": 1805762209527624,
"host": "nta01",
"http": {
"hostname": "x.com",
"http_content_type": "text/html",
"http_method": "POST",
"http_request_body_printable": "os_username=disabledsystemuser&os_password=disabled1system1user6708&login=Log+in&os_destination=%2Fhttpvoid.action",
"http_response_body_printable": "<!DOCTYPE html><html><head></head><body><div id=app></div></body></html>",
"http_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36",
"length": 1051,
"protocol": "HTTP/1.1",
"status": 404,
"url": "/dologin.action",
"xff": "51.15.230.111"
},
"in_iface": "eth1",
"payload_printable": "POST /dologin.action HTTP/1.1\r\nHost: x.com\r\nX-Forwarded-For: 51.15.230.111\r\nConnection: close\r\nContent-Length: 114\r\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36\r\nContent-Type: application/x-www-form-urlencoded\r\nAccept-Encoding: gzip\r\n\r\nos_username=disabledsystemuser&os_password=disabled1system1user6708&login=Log+in&os_destination=%2Fhttpvoid.action",
"pkt_src": "wire/pcap",
"proto": "TCP",
"src_ip": "10.x.x.x",
"src_port": 36282,
"stream": 1,
"timestamp": "2024-06-24T11:19:42.228988+0800",
"tx_id": 0,
"vlan": [
1235
]
}