Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
917
Views
0
Helpful
2
Replies

XFF in Intrusion Event Packet Captures

support
Level 1
Level 1

‎11-25-2016 11:24 PM - edited ‎03-10-2019 06:43 AM

We are running Firepower 6.0 on the FireSight and a 7000 series sensor. HTTP traffic which the IPS sensor is inspecting is coming via a web proxy which has the X-Forwarder-For enabled on it. I have checked this by running a capture on the sensor and can see the real source IP address in the HTTP header of the traffic instead of the proxy IP.

How do we enable the packet capture when an IPS incident is triggered to include the XFF information? At the moment we only get the single attack packet. How do we increase the packet capture size to include the whole session?

Also there is no documentation on the signature "(119:30) HI_CLIENT_BOTH_TRUEIP_XFF_HDRS". Does anyone know what this does?

Thanks

Labels:
0 Helpful
2 Replies 2

Dennis Perto
Level 5
Level 5

‎11-28-2016 03:47 AM

I think that you will have more luck succeeding if you were running Firepower 6.1
Release notes: http://www.cisco.com/c/en/us/td/docs/security/firepower/610/relnotes/Firepower_System_Release_Notes_Version_610.html
Search for XFF.

Either way you should check out the manual for the Network Analysis Policy regarding XFF to see if you missed a checkmark or two. :)

http://www.cisco.com/c/en/us/td/docs/security/firepower/610/configuration/guide/fpmc-config-guide-v61/application_layer_preprocessors.html#ID-2244-000004d5
Search for Extract Original Client IP Address 

0 Helpful

support
Level 1
Level 1
In response to Dennis Perto

‎11-28-2016 04:04 AM

Thank you for that Dennis.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card