• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Suricata block X-Forwarded-For IPs

Scheduled Pinned Locked Moved IDS/IPS
2 Posts 2 Posters 986 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • L
    lido14
    last edited by Dec 18, 2017, 10:13 PM Dec 18, 2017, 10:10 PM

    Greetings all,

    According to the Suricata docs (http://suricata.readthedocs.io/en/suricata-4.0.0/), the eve-log and and unified2-alert output plugins support overwriting the source or destination IP (depending on flow direction) with the IP address obtained from the X-Forwarded-For HTTP header.  It is enabled by adding the necessary xff params to the output plugin configurations.  This is useful when Suricata is inspecting traffic for a Web server behind a reverse proxy, especially when you want to offload SSL at the reverse proxy so Suricata can inspect the decrypted traffic.  The xff functionality in Suricata avoids having to use a more complicated transparent reverse proxy in order to inspect SSL traffic.

    For alerts, can Suricata be configured to block IPs in pfSense obtained from the X-Forwarded-For header?

    Thank you

    1 Reply Last reply Reply Quote 0
    • B
      bmeeks
      last edited by Dec 19, 2017, 12:42 AM

      No, Suricata on pfSense can't do that (block the X-Forwarded-For address).

      Bill

      1 Reply Last reply Reply Quote 0
      2 out of 2
      • First post
        2/2
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
        This community forum collects and processes your personal information.
        consent.not_received