10-26-2016 09:06 AM - edited 03-10-2019 06:42 AM
I'm wondering if anyone has implemented a custom Snort rule within their SourceFire IPS to strip X-Forwarded-For information from a packet in transit to the internet. This would be necessary to prevent internal IP disclosure, which could be a compliance issue.
Currently, I'm looking at something like this -
portvar $HTTP_PORTS [80,443]
alert tcp [10.0.0.0/8,172.16.0.0/12,192.168.0.0/24] any -> any $HTTP_PORTS (msg:"Scraping XFF Header"; flow:to_server,established; content:"X-Forwarded-For:"; http_header; replace:"XXXXXXXXXXXXXXX:";)
Does anyone see any issues with this? Has anyone implemented a similar custom rule successfully, and if so, how does your rule look?
Solved! Go to Solution.
10-27-2016 12:40 PM
Unfortunately, matching an IP with PCRE is not possible. Content + Replace are tied together.
10-26-2016 04:15 PM
I don't think this can be done. You'd have to know the ip you were matching before you could replace it.
10-27-2016 12:18 PM
Thanks for your reply. I guess I could leverage regex somehow if it is necessary to match IPs within the XFF header. But as I understand it, the rule would match any packet sourcing from RFC1918 addressing, reference the XFF header, and replace the IP therein regardless of what it is? Do I really need to match the XFF IP to make this work?
10-27-2016 12:40 PM
Unfortunately, matching an IP with PCRE is not possible. Content + Replace are tied together.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide