Suricata "behind" ha-proxy reverse proxy / X-Forwarded-For
-
Re: Suricata block X-Forwarded-For IPs
Is it still true that xff support is not available in suricata for pfsense? I am able to enable it en eve-logging but this does not seem to do the trick. I have some rules that will detect malicious traffic between the server in the DMZ and the haproxy on pfsense but need to block the source_ip (in the x-forwarded-for header) instead of the haproxy itself naturally.
Thanks!
-
This is a limitation of the Suricata binary itself. See the thread here from the upstream Suricata forum: https://forum.suricata.io/t/suricata-behind-proxy-server/419/.
So far as I know, this limitation still exists. Suricata can log the XFF in the EVE output, but XFF cannot be used in detection rules, and thus cannot trigger alerts (which would be required to initiate a block).