BRO Queries: X-Forwarded-For=xxx.xxx.xxx.xxx

216 views
Skip to first unread message

Roger B

unread,
Sep 9, 2015, 3:16:45 PM9/9/15
to security-onion
BRO documentation shows proxied information and I see X-FORWARDED-FOR IP address info in ELSA logs. I can't seem to find the Bro option for reporting on this. Is there a way to extract this from ELSA? Thanks so much

module HTTP;

## A list of HTTP headers typically used to indicate proxied requests.
const proxy_headers: set[string] = {
"FORWARDED",
"X-FORWARDED-FOR",
"X-FORWARDED-FROM",
"CLIENT-IP",
"VIA",
"XROXY-CONNECTION",
"PROXY-CONNECTION",
} &redef;

Roger B

unread,
Sep 10, 2015, 3:56:55 PM9/10/15
to security-onion

I figured it out........duh!!! Thanks!!!

Vijay Sharma

unread,
Jul 12, 2016, 5:08:59 AM7/12/16
to security-onion
Hi Can you let me know how you accomplished this as i am in similar situation ?
unless i am missing something very obvious how we can get X-forward address in BRO http log ?
Reply all
Reply to author
Forward
0 new messages