From 0a2d7fa809a9608c5063dd1a352fb53e9e7073a1 Mon Sep 17 00:00:00 2001
From: bmeeks8 <bmeeks8@bellsouth.net>
Date: Mon, 9 Nov 2015 22:25:06 -0500
Subject: Add support for X-Forwarded-For info to Unified2 log output options.

---
 config/suricata/suricata_generate_yaml.php | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

(limited to 'config/suricata/suricata_generate_yaml.php')

diff --git a/config/suricata/suricata_generate_yaml.php b/config/suricata/suricata_generate_yaml.php
index 73a56cb6..3394ad4c 100644
--- a/config/suricata/suricata_generate_yaml.php
+++ b/config/suricata/suricata_generate_yaml.php
@@ -292,6 +292,7 @@ if (!empty($suricatacfg['max_pcap_log_files']))
 else
 	$pcap_log_max_files = "1000";
 
+// Unified2 Alert Log Settings
 if ($suricatacfg['barnyard_enable'] == 'on')
 	$barnyard2_enabled = "yes";
 else
@@ -307,6 +308,28 @@ if (isset($suricatacfg['barnyard_sensor_id']))
 else
 	$unified2_sensor_id = "0";
 
+// Unified2 X-Forwarded-For logging options
+if ($suricatacfg['barnyard_xff_logging'] == 'on') {
+	$unified2_xff_output = "xff:";
+	$unified2_xff_output .= "\n        enabled: yes";
+	if (!empty($suricatacfg['barnyard_xff_mode']))
+		$unified2_xff_output .= "\n        mode: {$suricatacfg['barnyard_xff_mode']}";
+	else
+		$unified2_xff_output .= "\n        mode: extra-data";
+	if (!empty($suricatacfg['barnyard_xff_deployment']))
+		$unified2_xff_output .= "\n        deployment: {$suricatacfg['barnyard_xff_deployment']}";
+	else
+		$unified2_xff_output .= "\n        deployment: reverse";
+	if (!empty($suricatacfg['barnyard_xff_header']))
+		$unified2_xff_output .= "\n        header: {$suricatacfg['barnyard_xff_header']}";
+	else
+		$unified2_xff_output .= "\n        header: X-Forwarded-For";
+}
+else {
+	$unified2_xff_output = "xff:";
+	$unified2_xff_output .= "\n        enabled: no";
+}
+
 // EVE JSON log output settings
 if ($suricatacfg['enable_eve_log'] == 'on')
 	$enable_eve_log = "yes";
-- 
cgit v1.2.3