Solved: Snort Rule for Stripping X-Forwarded-For Information

Jeffrey Pouzar · ‎10-26-2016

I'm wondering if anyone has implemented a custom Snort rule within their SourceFire IPS to strip X-Forwarded-For information from a packet in transit to the internet. This would be necessary to prevent internal IP disclosure, which could be a compliance issue.

Currently, I'm looking at something like this -

portvar $HTTP_PORTS [80,443]

alert tcp [10.0.0.0/8,172.16.0.0/12,192.168.0.0/24] any -> any $HTTP_PORTS (msg:"Scraping XFF Header"; flow:to_server,established; content:"X-Forwarded-For:"; http_header; replace:"XXXXXXXXXXXXXXX:";)

Does anyone see any issues with this? Has anyone implemented a similar custom rule successfully, and if so, how does your rule look?

Joel Esler · ‎10-27-2016

Unfortunately, matching an IP with PCRE is not possible. Content + Replace are tied together.

View solution in original post

Joel Esler · ‎10-26-2016

I don't think this can be done. You'd have to know the ip you were matching before you could replace it.

Jeffrey Pouzar · ‎10-27-2016

Thanks for your reply. I guess I could leverage regex somehow if it is necessary to match IPs within the XFF header. But as I understand it, the rule would match any packet sourcing from RFC1918 addressing, reference the XFF header, and replace the IP therein regardless of what it is? Do I really need to match the XFF IP to make this work?

Joel Esler · ‎10-27-2016

Unfortunately, matching an IP with PCRE is not possible. Content + Replace are tied together.