Modifying src address with X-Forwarded-For IP
376 views
Skip to first unread message
Furkan Çalışkan
Nov 30, 2015, 6:02:39 AM11/30/15
to security-onion
Hi,
I'm mirroring my SO traffic behind my WAF device. So, whenever a traffic occurs, I can only see the internal IP after WAF's NATing. But I could set a X-Forwarded-For header from WAF.
Here's my question; is there any method for replacing source IP with X-Forwarded-For IP for a specific traffic? By doing this, I want to see the real IP in my Sguil/Squert GUI console.
Thanks,
I'm mirroring my SO traffic behind my WAF device. So, whenever a traffic occurs, I can only see the internal IP after WAF's NATing. But I could set a X-Forwarded-For header from WAF.
Here's my question; is there any method for replacing source IP with X-Forwarded-For IP for a specific traffic? By doing this, I want to see the real IP in my Sguil/Squert GUI console.
Thanks,
Doug Burks
Nov 30, 2015, 11:21:27 AM11/30/15
to securit...@googlegroups.com
I believe that Suricata has an option to do this. However, please
keep in mind that if you're running full packet capture and you enable
this option, then you most likely won't be able to pivot from IDS
alerts to full packet capture anymore as the IP address won't match.
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
keep in mind that if you're running full packet capture and you enable
this option, then you most likely won't be able to pivot from IDS
alerts to full packet capture anymore as the IP address won't match.
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
Furkan Çalışkan
Dec 1, 2015, 6:02:55 AM12/1/15
to security-onion
30 Kasım 2015 Pazartesi 18:21:27 UTC+2 tarihinde Doug Burks yazdı:
Hi Doug,
Can't pivoting from alerts to packet capture is a big deal. Is there any method for doing this not while compromise the overall integrity? For example, before any application (IDS, netsniff-ng etc.) start to use this packet, changing its IP in the network level like using bpf etc? I believe, since X-Forwarded-For is a Layer 7/HTTP thing, it won't be easy.
Regards,
Can't pivoting from alerts to packet capture is a big deal. Is there any method for doing this not while compromise the overall integrity? For example, before any application (IDS, netsniff-ng etc.) start to use this packet, changing its IP in the network level like using bpf etc? I believe, since X-Forwarded-For is a Layer 7/HTTP thing, it won't be easy.
Regards,
Doug Burks
Dec 1, 2015, 6:59:35 AM12/1/15
to securit...@googlegroups.com
It's open source, so in theory, anything is possible! :)
If you don't want to modify source code, then you may want to consider
changing your architecture so that you're collecting traffic before
the NAT occurs so that you are seeing real true internal IP addresses.
On Tue, Dec 1, 2015 at 1:49 AM, Furkan Çalışkan
If you don't want to modify source code, then you may want to consider
changing your architecture so that you're collecting traffic before
the NAT occurs so that you are seeing real true internal IP addresses.
On Tue, Dec 1, 2015 at 1:49 AM, Furkan Çalışkan
Furkan Çalışkan
Dec 3, 2015, 6:14:46 AM12/3/15
to security-onion
30 Kasım 2015 Pazartesi 13:02:39 UTC+2 tarihinde Furkan Çalışkan yazdı:
Hi Doug,
As a solution; in my sensors if I set xff to enabled in /etc/nsm/<interface-name/suricata.yaml file, it seems it will work according to docs.
As a solution; in my sensors if I set xff to enabled in /etc/nsm/<interface-name/suricata.yaml file, it seems it will work according to docs.
Reply all
Reply to author
Forward
0 new messages