Hi JoeJustice,
I believe that Snort can log the X-Forwarded-For IP addresses in the
unified2 output, but I'm not sure that barnyard2 or any analyst
interfaces parse that right now.
I believe that Suricata can replace the source IP address with the
X-Forwarded-For IP address so that you can see it in Snorby and other
interfaces. However, I think if you do this, you'll have difficulty
pivoting to CapME for full packet capture since it will be searching
for a TCP stream with the X-Forwarded-For IP address.
On Fri, Feb 20, 2015 at 9:04 AM, JoeJustice <
mcdouga...@gmail.com> wrote:
> Is there a way to implement X-Forwarded IP addresses into Security Onion Snort and Snorby? I have found an old thread that seemed to indicate this was only a function of Surricata within Security Onion.
>
> If not possible, I'm just looking for verification but if it is possible a nudge in the right direction would be appreciated.
>
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to
security-onio...@googlegroups.com.
> To post to this group, send email to
securit...@googlegroups.com.
> Visit this group at
http://groups.google.com/group/security-onion.
> For more options, visit
https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com