Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata "behind" ha-proxy reverse proxy / X-Forwarded-For

    Scheduled Pinned Locked Moved IDS/IPS
    2 Posts 2 Posters 911 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      j.koopmann
      last edited by

      Re: Suricata block X-Forwarded-For IPs

      Is it still true that xff support is not available in suricata for pfsense? I am able to enable it en eve-logging but this does not seem to do the trick. I have some rules that will detect malicious traffic between the server in the DMZ and the haproxy on pfsense but need to block the source_ip (in the x-forwarded-for header) instead of the haproxy itself naturally.

      Thanks!

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by bmeeks

        This is a limitation of the Suricata binary itself. See the thread here from the upstream Suricata forum: https://forum.suricata.io/t/suricata-behind-proxy-server/419/.

        So far as I know, this limitation still exists. Suricata can log the XFF in the EVE output, but XFF cannot be used in detection rules, and thus cannot trigger alerts (which would be required to initiate a block).

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.