Suricata block X-Forwarded-For IPs



  • Greetings all,

    According to the Suricata docs (http://suricata.readthedocs.io/en/suricata-4.0.0/), the eve-log and and unified2-alert output plugins support overwriting the source or destination IP (depending on flow direction) with the IP address obtained from the X-Forwarded-For HTTP header.  It is enabled by adding the necessary xff params to the output plugin configurations.  This is useful when Suricata is inspecting traffic for a Web server behind a reverse proxy, especially when you want to offload SSL at the reverse proxy so Suricata can inspect the decrypted traffic.  The xff functionality in Suricata avoids having to use a more complicated transparent reverse proxy in order to inspect SSL traffic.

    For alerts, can Suricata be configured to block IPs in pfSense obtained from the X-Forwarded-For header?

    Thank you



  • No, Suricata on pfSense can't do that (block the X-Forwarded-For address).

    Bill