Snort enable_xff

Mr. White

Hi
We're trying to set up an inline snort and since it's on the inside of ssl termination proxies we need to get X-Forwarded-For up and running.

Tried to add enable_xff in the Advanced configuration pass through without success.

If we add it manually in snort.conf it gets removed when we restart snort.

Any ideas how we can get this to work?

Thnx

bmeeks

@Mr.:

Hi
We're trying to set up an inline snort and since it's on the inside of ssl termination proxies we need to get X-Forwarded-For up and running.

Tried to add enable_xff in the Advanced configuration pass through without success.

If we add it manually in snort.conf it gets removed when we restart snort.

Any ideas how we can get this to work?

Thnx

This may be a bit difficult to pull off, but should be workable.  This is an option that is part of the HTTP_INSPECT preprocessor.  As you have noticed, the snort.conf file is recreated from scratch automatically each time edits are made to the Snort configuration via the GUI.  So anything you manually add to the file lives there only until the next edit.

Try this method for enabling the "enable_xff" option:

On the Preprocessors tab, uncheck the HTTP_INSPECT preprocessor and then Save the change.  This will stop the automatic generation of the HTTP_INSPECT preprocessor settings in snort.conf.

Now go to the Advanced Configuration Pass-Through screen and enter ALL the information for the HTTP_INSEPCT preprocessor (including the "enable_xff" option).  You might want to "copy and paste" the automatically-generated HTTP_INSPECT options from snort.conf first (as in before you make the edit above), so you have the required fields.  Then just add the "enable_xff" option to the list.

Bill

Mr. White

Thnx!
I'll try that  :)

On another note…
Is it possible to run snort plug-in in inline mode and make it drop packets instead of blocking the source IP?

But maybe that needs a new post ;)

bmeeks

@Mr.:

On another note…
Is it possible to run snort plug-in in inline mode and make it drop packets instead of blocking the source IP?

But maybe that needs a new post ;)

No, it won't run in true inline mode where it drops packets itself.  The blocking action is the best available for now.  If you construct a proper HOME_NET variable using the Whitelist tab and Aliases, then you can set the block mode to BOTH and be guaranteed to kill the bad traffic without killing a friendly IP.  When set to BOTH, the blocking module will test each IP address individually against the whitelist and only block the one NOT in the list.  The idea is communication to/from the "bad host" is blocked, but hosts in your HOME_NET or whitelist can still communicate to the "good hosts".

The current logic for auto-generating the HOME_NET variable and default whitelist is not perfect.  To get it to work as described above in the current version requires a custom whitelist and HOME_NET.  Some changes are being discussed in this thread to make this happen automatically:

http://forum.pfsense.org/index.php/topic,61891.msg334030.html#msg334030

Related to your original post about enabling xff, I have already made it a default for the next package update.

Bill