Malformed raw event when "Use Client IP from header" turned on

[GoogleCodeExporter]

What steps will reproduce the problem?
1. Check option "Use Client IP from header" in sensor configuration
2. Generate event
3. Download RAW event "RAW Transaction download"

What is the expected output? What do you see instead?
Section A and B is malformed. There is regexp for X-Forwarded-For header two 
times and of course it shouldn't be.

--71f1d212-A--
^X-Forwarded-For:\s([12]?[0-9]{1,2}\.[12]?[0-9]{1,2}\.[12]?[0-9]{1,2}\.[12]?[0-9
]{1,2})[27/Feb/2014:06:56:47 +0100] Uw7Tnn8AAAEAAG89OGwAAAAd 66.249.66.173 
40717 192.5.3.50 80
^X-Forwarded-For:\s([12]?[0-9]{1,2}\.[12]?[0-9]{1,2}\.[12]?[0-9]{1,2}\.[12]?[0-9
]{1,2})--71f1d212-B--
GET /n?httpotkek3&p%5Bpage%5D=38 HTTP/1.1
Host: star.iban.sk
Connection: Keep-alive
Accept: */*
From: googlebot(at)googlebot.com
User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; 
+http://www.google.com/bot.html)
Accept-Encoding: gzip,deflate
X-Forwarded-For: 66.249.66.173

What version of the product are you using? On what operating system?
0.6.3, CentOS 6.5

Please provide any additional information below.

Original issue reported on code.google.com by juraj.sa...@gmail.com on 27 Feb 2014 at 6:05

[GoogleCodeExporter]

Workaround for this issue:
Comment line 109 ($PhaseA_full = $PhaseA_full . $clientIpHeaderRegExp;) in 
controller.php. I am not sure if this line is needed. Why we add something to 
RAW event? I think we should let RAW event intact.

Original comment by juraj.sa...@gmail.com on 27 Feb 2014 at 6:48

[GoogleCodeExporter]

update to previous post: not controller.php but controller/index.php. Sorry

Original comment by juraj.sa...@gmail.com on 27 Feb 2014 at 6:51

[GoogleCodeExporter]

Corrected by your patch.

Original comment by klaub...@gmail.com on 18 Jul 2014 at 2:51

• Changed state: Fixed