Enabling X-Forwarded IP's in Security Onion
270 views
Skip to first unread message
JoeJustice
Feb 20, 2015, 9:04:39 AM2/20/15
to securit...@googlegroups.com
Is there a way to implement X-Forwarded IP addresses into Security Onion Snort and Snorby? I have found an old thread that seemed to indicate this was only a function of Surricata within Security Onion.
If not possible, I'm just looking for verification but if it is possible a nudge in the right direction would be appreciated.
If not possible, I'm just looking for verification but if it is possible a nudge in the right direction would be appreciated.
Doug Burks
Feb 20, 2015, 5:55:47 PM2/20/15
to securit...@googlegroups.com
Hi JoeJustice,
I believe that Snort can log the X-Forwarded-For IP addresses in the
unified2 output, but I'm not sure that barnyard2 or any analyst
interfaces parse that right now.
I believe that Suricata can replace the source IP address with the
X-Forwarded-For IP address so that you can see it in Snorby and other
interfaces. However, I think if you do this, you'll have difficulty
pivoting to CapME for full packet capture since it will be searching
for a TCP stream with the X-Forwarded-For IP address.
On Fri, Feb 20, 2015 at 9:04 AM, JoeJustice <mcdouga...@gmail.com> wrote:
> Is there a way to implement X-Forwarded IP addresses into Security Onion Snort and Snorby? I have found an old thread that seemed to indicate this was only a function of Surricata within Security Onion.
>
> If not possible, I'm just looking for verification but if it is possible a nudge in the right direction would be appreciated.
>
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
I believe that Snort can log the X-Forwarded-For IP addresses in the
unified2 output, but I'm not sure that barnyard2 or any analyst
interfaces parse that right now.
I believe that Suricata can replace the source IP address with the
X-Forwarded-For IP address so that you can see it in Snorby and other
interfaces. However, I think if you do this, you'll have difficulty
pivoting to CapME for full packet capture since it will be searching
for a TCP stream with the X-Forwarded-For IP address.
On Fri, Feb 20, 2015 at 9:04 AM, JoeJustice <mcdouga...@gmail.com> wrote:
> Is there a way to implement X-Forwarded IP addresses into Security Onion Snort and Snorby? I have found an old thread that seemed to indicate this was only a function of Surricata within Security Onion.
>
> If not possible, I'm just looking for verification but if it is possible a nudge in the right direction would be appreciated.
>
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
Joel Esler
Feb 23, 2015, 10:00:19 AM2/23/15
to securit...@googlegroups.com
Doug is correct from the Snort angle. I thought Snorby handled that field in unified2…?
--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Talos
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Talos
jumbo jim
Apr 1, 2015, 6:11:28 AM4/1/15
to securit...@googlegroups.com
The SO configuration of ELSA has some handy shortcuts such as 'top source' IPs etc. I understand this info comes from Bro.
Might anyone have a recommendation on how I might be able able to get 'top source' working for XFF IPs?
Also in the event I wanted to investigate a pcap relating to a specific session involving an XFF IP, might this be possible?
If some things were likely to 'break' due to XFF patches/changes etc, could a second vanilla SO installation share the same data.. or would it simply be easier to mirror to a second SO box?
Might anyone have a recommendation on how I might be able able to get 'top source' working for XFF IPs?
Also in the event I wanted to investigate a pcap relating to a specific session involving an XFF IP, might this be possible?
If some things were likely to 'break' due to XFF patches/changes etc, could a second vanilla SO installation share the same data.. or would it simply be easier to mirror to a second SO box?
jumbo jim
Apr 3, 2015, 9:31:42 AM4/3/15
to securit...@googlegroups.com
> I believe that Suricata can replace the source IP address with the
> X-Forwarded-For IP address so that you can see it in Snorby and other
> interfaces. However, I think if you do this, you'll have difficulty
> pivoting to CapME for full packet capture since it will be searching
> for a TCP stream with the X-Forwarded-For IP address.
>
i have a situation where i want to sit SO behind a proxy. XFF is passed on by the proxy. What might be the most practical method of pulling meaningful information from SO? i want to see stats such as busiest inbound/outbound by XFF IP etc, and then analyze the further from there if possible.
Reply all
Reply to author
Forward
0 new messages