Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata X-Forward-For

    Scheduled Pinned Locked Moved IDS/IPS
    4 Posts 2 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      digdug3
      last edited by

      Is it possible to use X-Forward-For in Suricata so not the Proxy server itself would be blocked, but the actual "attacker"?
      According to this: https://redmine.openinfosecfoundation.org/issues/478
      Sucricata has the possibility.

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        Based on where the final changes for supporting this were added in Suricata, the answer is "no", the blocking module can't block the X-Forward-For address.  The blocking module is not in the unified2 chain.

        This analysis is based off a sort of quick review of the Suricata pull request and Redmine thread you linked.  I will have some time later to study it in more detail just in case I overlooked something in my initial review.

        Bill

        1 Reply Last reply Reply Quote 0
        • D
          digdug3
          last edited by

          Yes, you are right, according to the thread they added it to Suricata 2.0 and in the unified2 chain.
          Can you explain where the current Suricata package is getting its blocking ip's from?
          Then I'll try to figure it out.

          1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks
            last edited by

            @digdug3:

            Yes, you are right, according to the thread they added it to Suricata 2.0 and in the unified2 chain.
            Can you explain where the current Suricata package is getting its blocking ip's from?
            Then I'll try to figure it out.

            From the alert-fast log chain.  The blocking plugin is in the Suricata output chain.  It may be that some additional information is buried in the Packet structure passed to the blocking plugin, but I have not investigated it that deeply yet.

            Bill

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.