Suricata block X-Forwarded-For IPs

  • Greetings all,

    According to the Suricata docs (, the eve-log and and unified2-alert output plugins support overwriting the source or destination IP (depending on flow direction) with the IP address obtained from the X-Forwarded-For HTTP header.  It is enabled by adding the necessary xff params to the output plugin configurations.  This is useful when Suricata is inspecting traffic for a Web server behind a reverse proxy, especially when you want to offload SSL at the reverse proxy so Suricata can inspect the decrypted traffic.  The xff functionality in Suricata avoids having to use a more complicated transparent reverse proxy in order to inspect SSL traffic.

    For alerts, can Suricata be configured to block IPs in pfSense obtained from the X-Forwarded-For header?

    Thank you

  • No, Suricata on pfSense can't do that (block the X-Forwarded-For address).


Log in to reply