eve: use eve-level xff configuration

If an "xff" configuration section exists on the eve object, parse and save it for child loggers to use.
8 years ago · 576584152c
parent 781a7e1089
commit 576584152c
3 changed files with 33 additions and 0 deletions
--- a/src/output-json.c
+++ b/src/output-json.c
@ -854,6 +854,15 @@ OutputInitResult OutputJsonInitCtx(ConfNode *conf)
            json_ctx->include_metadata = true;
        }

+        /* Do we have a global eve xff configuration? */
+        const ConfNode *xff = ConfNodeLookupChild(conf, "xff");
+        if (xff != NULL) {
+            json_ctx->xff_cfg = SCCalloc(1, sizeof(HttpXFFCfg));
+            if (likely(json_ctx->xff_cfg != NULL)) {
+                HttpXFFGetCfg(conf, json_ctx->xff_cfg);
+            }
+        }
+
        const char *pcapfile_s = ConfNodeLookupChildValue(conf, "pcap-file");
        if (pcapfile_s != NULL && ConfValIsTrue(pcapfile_s)) {
            json_ctx->file_ctx->is_pcap_offline =
@ -880,6 +889,9 @@ static void OutputJsonDeInitCtx(OutputCtx *output_ctx)
                "%"PRIu64" events were dropped due to slow or "
                "disconnected socket", logfile_ctx->dropped);
    }
+    if (json_ctx->xff_cfg != NULL) {
+        SCFree(json_ctx->xff_cfg);
+    }
    LogFileFreeCtx(logfile_ctx);
    SCFree(json_ctx);
    SCFree(output_ctx);
--- a/src/output-json.h
+++ b/src/output-json.h
@ -29,6 +29,8 @@
 #include "util-logopenfile.h"
 #include "output.h"

+#include "app-layer-htp-xff.h"
+
 void OutputJsonRegister(void);

 #ifdef HAVE_LIBJANSSON
@ -66,6 +68,7 @@ typedef struct OutputJsonCtx_ {
    LogFileCtx *file_ctx;
    enum LogFileType json_out;
    bool include_metadata;
+    HttpXFFCfg *xff_cfg;
 } OutputJsonCtx;

 json_t *SCJsonBool(int val);
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@ -173,6 +173,24 @@ outputs:

      pcap-file: false

+      # HTTP X-Forwarded-For support by adding an extra field or overwriting
+      # the source or destination IP address (depending on flow direction)
+      # with the one reported in the X-Forwarded-For HTTP header. This is
+      # helpful when reviewing alerts for traffic that is being reverse
+      # or forward proxied.
+      xff:
+        enabled: no
+        # Two operation modes are available, "extra-data" and "overwrite".
+        mode: extra-data
+        # Two proxy deployments are supported, "reverse" and "forward". In
+        # a "reverse" deployment the IP address used is the last one, in a
+        # "forward" deployment the first IP address is used.
+        deployment: reverse
+        # Header name where the actual IP address will be reported, if more
+        # than one IP address is present, the last IP address will be the
+        # one taken into consideration.
+        header: X-Forwarded-For
+
      types:
        - alert:
            # payload: yes             # enable dumping payload in Base64