4. Suricata X-Forward-For

Suricata X-Forward-For

  • D

    Is it possible to use X-Forward-For in Suricata so not the Proxy server itself would be blocked, but the actual "attacker"?
    According to this: https://redmine.openinfosecfoundation.org/issues/478
    Sucricata has the possibility.

    0

  • Based on where the final changes for supporting this were added in Suricata, the answer is "no", the blocking module can't block the X-Forward-For address.  The blocking module is not in the unified2 chain.

    This analysis is based off a sort of quick review of the Suricata pull request and Redmine thread you linked.  I will have some time later to study it in more detail just in case I overlooked something in my initial review.

    Bill

    0
  • D

    Yes, you are right, according to the thread they added it to Suricata 2.0 and in the unified2 chain.
    Can you explain where the current Suricata package is getting its blocking ip's from?
    Then I'll try to figure it out.

    0

  • @digdug3:

    Yes, you are right, according to the thread they added it to Suricata 2.0 and in the unified2 chain.
    Can you explain where the current Suricata package is getting its blocking ip's from?
    Then I'll try to figure it out.

    From the alert-fast log chain.  The blocking plugin is in the Suricata output chain.  It may be that some additional information is buried in the Packet structure passed to the blocking plugin, but I have not investigated it that deeply yet.

    Bill

    0
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy