Suricata X-Forward-For



  • Is it possible to use X-Forward-For in Suricata so not the Proxy server itself would be blocked, but the actual "attacker"?
    According to this: https://redmine.openinfosecfoundation.org/issues/478
    Sucricata has the possibility.



  • Based on where the final changes for supporting this were added in Suricata, the answer is "no", the blocking module can't block the X-Forward-For address.  The blocking module is not in the unified2 chain.

    This analysis is based off a sort of quick review of the Suricata pull request and Redmine thread you linked.  I will have some time later to study it in more detail just in case I overlooked something in my initial review.

    Bill



  • Yes, you are right, according to the thread they added it to Suricata 2.0 and in the unified2 chain.
    Can you explain where the current Suricata package is getting its blocking ip's from?
    Then I'll try to figure it out.



  • @digdug3:

    Yes, you are right, according to the thread they added it to Suricata 2.0 and in the unified2 chain.
    Can you explain where the current Suricata package is getting its blocking ip's from?
    Then I'll try to figure it out.

    From the alert-fast log chain.  The blocking plugin is in the Suricata output chain.  It may be that some additional information is buried in the Packet structure passed to the blocking plugin, but I have not investigated it that deeply yet.

    Bill