The pfSense Store

Author Topic: Suricata block X-Forwarded-For IPs  (Read 119 times)

0 Members and 1 Guest are viewing this topic.

Offline lido14

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Suricata block X-Forwarded-For IPs
« on: December 18, 2017, 04:10:46 pm »
Greetings all,

According to the Suricata docs (http://suricata.readthedocs.io/en/suricata-4.0.0/), the eve-log and and unified2-alert output plugins support overwriting the source or destination IP (depending on flow direction) with the IP address obtained from the X-Forwarded-For HTTP header.  It is enabled by adding the necessary xff params to the output plugin configurations.  This is useful when Suricata is inspecting traffic for a Web server behind a reverse proxy, especially when you want to offload SSL at the reverse proxy so Suricata can inspect the decrypted traffic.  The xff functionality in Suricata avoids having to use a more complicated transparent reverse proxy in order to inspect SSL traffic.

For alerts, can Suricata be configured to block IPs in pfSense obtained from the X-Forwarded-For header?


Thank you
« Last Edit: December 18, 2017, 04:13:56 pm by lido14 »

Offline bmeeks

  • Hero Member
  • *****
  • Posts: 3237
  • Karma: +846/-0
    • View Profile
Re: Suricata block X-Forwarded-For IPs
« Reply #1 on: December 18, 2017, 06:42:04 pm »
No, Suricata on pfSense can't do that (block the X-Forwarded-For address).

Bill