cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
itagsupport
Level 9

255.255.255.255 as source ip in access log

Jump to solution

Hi everybody,

in the access.log, we discovered that for certain URLs the source ip is 255.255.255.255:

[12/Mar/2014:07:42:42 +0100] "e6063" 255.255.255.255 200 "GET http://www.cellartracker.com/sbbi/?sbbpg=cprcs HTTP/1.1" "Software/Hardware" "Minimal Risk" "image/png" 420 803 "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3; Tablet PC 2.0)" "" "0"

[12/Mar/2014:13:20:23 +0100] "e6495" 255.255.255.255 200 "GET http://www.manta.com/sbbi/?sbbpg=cprcs HTTP/1.1" "Business" "Minimal Risk" "image/png" 307 2941 "Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0" "" "0"

[14/Mar/2014:08:21:51 +0100] "lga3051" 255.255.255.255 200 "GET http://www.homegate.ch/sbbi/?sbbpg=cprcs HTTP/1.1" "Business" "Minimal Risk" "image/png" 461 965 "Mozilla/5.0 (compatible; MSIE 9.0; W ndows NT 6.1; WOW64; Trident/5.0)" "" "0"

[14/Mar/2014:08:25:05 +0100] "vpa1709" 255.255.255.255 200 "GET http://www.homegate.ch/sbbi/?sbbpg=cprcs HTTP/1.1" "Business" "Minimal Risk" "image/png" 461 1198 "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0" "" "0"

We saw this at different customers with 7.3.2.3 and 7.3.2.6.

All the different URL have the same subsite "/sbbi/?sbbpg=cprcs".

BUT: if you access the URL directly, my correct ip is in the log:

[root@sec-gate01 access.log]# grep "/sbbi/?sbbpg=cprcs" access.log

[14/Mar/2014:08:21:51 +0100] "lga3051" 255.255.255.255 200 "GET http://www.homegate.ch/sbbi/?sbbpg=cprcs HTTP/1.1" "Business" "Minimal Risk" "image/png" 461 965 "Mozilla/5.0 (compatible; MSIE 9.0; W ndows NT 6.1; WOW64; Trident/5.0)" "" "0"

[14/Mar/2014:08:25:05 +0100] "vpa1709" 255.255.255.255 200 "GET http://www.homegate.ch/sbbi/?sbbpg=cprcs HTTP/1.1" "Business" "Minimal Risk" "image/png" 461 1198 "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0" "" "0"

[14/Mar/2014:08:31:59 +0100] "" 255.255.255.255 407 "GET http://www.homegate.ch/sbbi/?sbbpg=cprcs HTTP/1.1" "" "-" "" 5144 1930 "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0 " "" "0"

[14/Mar/2014:08:31:59 +0100] "" 255.255.255.255 407 "GET http://www.homegate.ch/sbbi/?sbbpg=cprcs HTTP/1.1" "" "-" "" 5157 2014 "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0 " "" "0"

[14/Mar/2014:08:31:59 +0100] "gpa1660" 255.255.255.255 200 "GET http://www.homegate.ch/sbbi/?sbbpg=cprcs HTTP/1.1" "Business" "Minimal Risk" "image/png" 456 2382 "Mozilla/5.0 (compatible; MSIE 9.0;  indows NT 6.1; WOW64; Trident/5.0)" "" "0"

[14/Mar/2014:09:01:12 +0100] "enu1420" 255.255.255.255 200 "GET http://www.homegate.ch/sbbi/?sbbpg=cprcs HTTP/1.1" "Business" "Minimal Risk" "image/png" 460 951 "Mozilla/5.0 (compatible; MSIE 9.0; W ndows NT 6.1; WOW64; Trident/5.0)" "" "0"

[14/Mar/2014:09:12:42 +0100] "ita9000" 172.22.2.10 200 "GET http://www.homegate.ch/sbbi/?sbbpg=cprcs HTTP/1.1" "Business" "Minimal Risk" "image/png" 655 328 "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2 .0) Gecko/20100101 Firefox/22.0" "" "0"

[14/Mar/2014:09:19:03 +0100] "" 172.22.2.10 407 "GET http://www.manta.com/sbbi/?sbbpg=cprcs HTTP/1.1" "" "-" "" 5138 324 "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0" "" "0"

[14/Mar/2014:09:19:03 +0100] "" 172.22.2.10 407 "GET http://www.manta.com/sbbi/?sbbpg=cprcs HTTP/1.1" "" "-" "" 5151 408 "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0" "" "0"

[14/Mar/2014:09:19:03 +0100] "ita9000" 172.22.2.10 407 "GET http://www.manta.com/sbbi/?sbbpg=cprcs HTTP/1.1" "" "-" "" 5145 788 "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/2 .0" "" "0"

[14/Mar/2014:09:19:03 +0100] "" 172.22.2.10 407 "GET http://www.manta.com/sbbi/?sbbpg=cprcs HTTP/1.1" "" "-" "" 5151 408 "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0" "" "0"

[14/Mar/2014:09:19:03 +0100] "ita9000" 172.22.2.10 200 "GET http://www.manta.com/sbbi/?sbbpg=cprcs HTTP/1.1" "Business" "Minimal Risk" "image/png" 340 764 "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22. ) Gecko/20100101 Firefox/22.0" "" "0"

[14/Mar/2014:10:16:30 +0100] "lab1484" 255.255.255.255 200 "GET http://www.homegate.ch/sbbi/?sbbpg=cprcs HTTP/1.1" "Business" "Minimal Risk" "image/png" 460 1205 "Mozilla/5.0 (compatible; MSIE 9.0;  indows NT 6.1; WOW64; Trident/5.0)" "" "0"

[14/Mar/2014:11:01:58 +0100] "sew1659" 255.255.255.255 200 "GET http://www.manta.com/sbbi/?sbbpg=cprcs HTTP/1.1" "Business" "Minimal Risk" "image/png" 340 2798 "Mozilla/5.0 (compatible; MSIE 9.0; Wi dows NT 6.1; WOW64; Trident/5.0)" "" "0"

[14/Mar/2014:11:05:51 +0100] "fge1930" 255.255.255.255 200 "GET http://www.homegate.ch/sbbi/?sbbpg=cprcs HTTP/1.1" "Business" "Minimal Risk" "image/png" 461 1497 "Mozilla/5.0 (compatible; MSIE 9.0;  indows NT 6.1; WOW64; Trident/5.0)" "" "0"

[14/Mar/2014:11:09:41 +0100] "tgi1783" 255.255.255.255 200 "GET http://www.homegate.ch/sbbi/?sbbpg=cprcs HTTP/1.1" "Business" "Minimal Risk" "image/png" 461 1114 "Mozilla/5.0 (compatible; MSIE 9.0;  indows NT 6.1; WOW64; Trident/5.0)" "" "0"

[14/Mar/2014:11:36:32 +0100] "lsk1747" 255.255.255.255 200 "GET http://www.homegate.ch/sbbi/?sbbpg=cprcs HTTP/1.1" "Business" "Minimal Risk" "image/png" 460 1656 "Mozilla/5.0 (compatible; MSIE 9.0;  indows NT 6.1; WOW64; Trident/5.0)" "" "0"

[14/Mar/2014:11:57:54 +0100] "vpa1709" 255.255.255.255 200 "GET http://www.homegate.ch/sbbi/?sbbpg=cprcs HTTP/1.1" "Business" "Minimal Risk" "image/png" 461 1211 "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0" "" "0"

[14/Mar/2014:12:09:20 +0100] "anp1877" 255.255.255.255 200 "GET http://www.homegate.ch/sbbi/?sbbpg=cprcs HTTP/1.1" "Business" "Minimal Risk" "image/png" 460 1087 "Mozilla/5.0 (compatible; MSIE 9.0;  indows NT 6.1; WOW64; Trident/5.0)" "" "0"

[14/Mar/2014:13:27:01 +0100] "vpa1709" 255.255.255.255 200 "GET http://www.homegate.ch/sbbi/?sbbpg=cprcs HTTP/1.1" "Business" "Minimal Risk" "image/png" 460 1199 "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0" "" "0"

[14/Mar/2014:15:25:28 +0100] "fge1930" 255.255.255.255 200 "GET http://www.homegate.ch/sbbi/?sbbpg=cprcs HTTP/1.1" "Business" "Minimal Risk" "image/png" 461 1513 "Mozilla/5.0 (compatible; MSIE 9.0;  indows NT 6.1; WOW64; Trident/5.0)" "" "0"

[root@sec-gate01 access.log]#

Does anybody know, where and why this 255. ip is coming from?

TIA!

Andreas

0 Kudos
1 Solution

Accepted Solutions
McAfee Employee

Re: 255.255.255.255 as source ip in access log

Jump to solution

Hi Andreas,

It's coming from the X-Forwarded-For header. MWG will read the XFF in as the client.IP if it exists. This is useful for proxy chain scenarios. If you do not have a proxy chain then you might want to rewrite the client.IP back to the connection.IP (where the traffic originated from) instead.

See attached screenshot and ruleset:

2014-03-14_110406.png

Best,

Jon

0 Kudos
1 Reply
McAfee Employee

Re: 255.255.255.255 as source ip in access log

Jump to solution

Hi Andreas,

It's coming from the X-Forwarded-For header. MWG will read the XFF in as the client.IP if it exists. This is useful for proxy chain scenarios. If you do not have a proxy chain then you might want to rewrite the client.IP back to the connection.IP (where the traffic originated from) instead.

See attached screenshot and ruleset:

2014-03-14_110406.png

Best,

Jon

0 Kudos