From 213fdcead99813e7bd3314e459ab211b3e053699 Mon Sep 17 00:00:00 2001
From: Andrew Kroh <andrew.kroh@elastic.co>
Date: Sun, 27 Mar 2016 14:49:42 -0400
Subject: [PATCH] Split real_ip_header value when it contains multiple IPs

Fixes #1236
---
 CHANGELOG.asciidoc                             |   1 +
 packetbeat/protos/http/http_parser.go          |   4 +++-
 .../system/pcaps/http_x_forwarded_for.pcap     | Bin 0 -> 1530 bytes
 packetbeat/tests/system/test_0008_realip.py    |  17 +++++++++++++++++
 4 files changed, 21 insertions(+), 1 deletion(-)
 create mode 100644 packetbeat/tests/system/pcaps/http_x_forwarded_for.pcap

diff --git a/CHANGELOG.asciidoc b/CHANGELOG.asciidoc
index 744f93a8b96..63121591ad5 100644
--- a/CHANGELOG.asciidoc
+++ b/CHANGELOG.asciidoc
@@ -55,6 +55,7 @@ https://github.com/elastic/beats/compare/v1.1.2...master[Check the HEAD diff]
 - Allow PF_RING sniffer type to be configured using pf_ring or pfring {pull}671[671]
 - Create a proper BPF filter when ICMP is the only enabled protocol {issue}757[757]
 - Check column length in pgsql parser. {issue}565{565
+- Split real_ip_header value when it contains multiple IPs {pull}1241[1241]
 
 *Topbeat*
 - Fix issue with cpu.system_p being greater than 1 on Windows {pull}1128[1128]
diff --git a/packetbeat/protos/http/http_parser.go b/packetbeat/protos/http/http_parser.go
index 47ee3d87582..4f9021a8c46 100644
--- a/packetbeat/protos/http/http_parser.go
+++ b/packetbeat/protos/http/http_parser.go
@@ -330,7 +330,9 @@ func (parser *parser) parseHeader(m *message, data []byte) (bool, bool, int) {
 				m.connection = headerVal
 			}
 			if len(config.RealIPHeader) > 0 && bytes.Equal(headerName, []byte(config.RealIPHeader)) {
-				m.RealIP = headerVal
+				if ips := bytes.SplitN(headerVal, []byte{','}, 2); len(ips) > 0 {
+					m.RealIP = trim(ips[0])
+				}
 			}
 
 			if config.SendHeaders {
diff --git a/packetbeat/tests/system/pcaps/http_x_forwarded_for.pcap b/packetbeat/tests/system/pcaps/http_x_forwarded_for.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..19f081c54a29a6457f269fd76ef6065476ab1284
GIT binary patch
literal 1530
zcmaKs&ubG~6vywx*jEMyTftw5a0#MVGBcSZwas)AI@+|UbZlrw(JtgoC)cE!Wa4Df
zv?8|X%6~u?7JqC+LGU*SBFK9#+!TKxsC}aNT!<ib;pWL(=(&?N(KI@6;r`-tzUO=H
zndg7syy!t*RR6q)fyMNe|Mvc?GH5r<=|JuGrg5LL=C8T8S6fjWq26;+FY0Z1ah^@L
zjJ}lrS(yKXlAYG;5qkN$=i9f{lL&ddD{nI^R;*;0R(7NZr|Fs3Q>Cw(V$d#F(^2JC
zW4Lr>;R`}tEsx((GL3+e^Pkk&jRr(WU08j||7yaepZ0oMSuOtcBBev5Kd9~lK;8jV
zI+p1U-#<om-~F>ecM9lZGi_}f&UGNPsMn@sO8f}K2LPjE8S!TF5hZRu)0DWrZNte^
zKNAPyIu>z4*OQ_oNF1B6N{);(mX*m7!L;%myQf5KUd@mK?3-mfCw2+pkPzTl)ig;F
zHao-)j@`%iTXw~;(<Du2GVYED!El!liU?95?8j0-kc6NRa%UkSEOc@#$I^UOU9UT|
z%=_@dSJ(UZ4c?D|_fKcq813qzYCho3HSpc0L{0Rd15jBy8i}6d=XI1gccm$DJ)<4;
z*N9IjamgDT3P@P9CP*45iJdnJ;7D$YV}~r$aK^2IjI)kYltr;psR(rgMULHR6&$$C
z>r+J{V~0#SV%Ev$da#)_>=JRJd-Q(3n`8S72hLOFf*%LFux8je7?8GOsap<4WGR9N
zG@WDPlf`kHlw_=z3EbO`)ne0oI}I~ScpBQaaxyNK$8zJQALorp-pG(>urm@21fYs3
zVowmLSEf>`D;*+*jFXjdP>Rsf?n|Zkq-{CGtR^b;;JlS4(XpIm9(HSQ8+pPH7wIub
zOQ~9Xcw}&3a5pWolF+rGn39OAeK93Z9K$t=Cr8TT6H%YJXpRHs`0(N?>Z`l7WK!8V
z$ani<tfCL<L-AOx8j4umP{eA49m9S5;Z{QW@d~V1Jxg%fGRt|W1<o2J$N`GUDk@Hl
z#QUSZ=H>Invcx8esKx|HMRe&9il$V3zbD|e{kp>+7HB`-C^YorQ+0OJap>^Yv+(;`
z?C|sOhM&;)>(hTnoE@daS0|bh+kx0qBVJx2Zaq~eHg*IGf8Ol&*xjEyV$*Txv1c>w
tjCSQsts_1_M_i^F%^!%%{zBpZZ&8g$w>4;d23b$LS+A{WyaO6Pd<Q2j(dYmG

literal 0
HcmV?d00001

diff --git a/packetbeat/tests/system/test_0008_realip.py b/packetbeat/tests/system/test_0008_realip.py
index 93de850751d..5b55f73d3a6 100644
--- a/packetbeat/tests/system/test_0008_realip.py
+++ b/packetbeat/tests/system/test_0008_realip.py
@@ -23,3 +23,20 @@ def test_x_forward_for(self):
 
         assert o["real_ip"] == "89.247.39.104"
         assert o["client_location"] == "52.528503, 13.410904"
+
+    def test_x_forwarded_for_multiple_ip(self):
+        self.render_config_template(
+            http_ports=[80],
+            http_real_ip_header="X-Forwarded-For",
+            http_send_all_headers=True,
+            geoip_paths=["geoip_city.dat"]
+        )
+        self.copy_files(["geoip_city.dat"])
+        self.run_packetbeat(pcap="http_x_forwarded_for.pcap", debug_selectors=["http"])
+
+        objs = self.read_output()
+        assert len(objs) == 1
+        o = objs[0]
+
+        assert o["real_ip"] == "89.247.39.104"
+        assert o["client_location"] == "52.528503, 13.410904"