Suricata and X-Forwarded-For header
489 views
Skip to first unread message
kenpotf
Sep 21, 2016, 9:57:06 AM9/21/16
to security-onion
All,
My proxy server is sending the x-forwarded-for header, but Suricata/Sguil/Squert is still reporting the proxy server's address as the source of the traffic. I have xff enabled in suricata.yaml. Currently, my settings are below:
My proxy server is sending the x-forwarded-for header, but Suricata/Sguil/Squert is still reporting the proxy server's address as the source of the traffic. I have xff enabled in suricata.yaml. Currently, my settings are below:
xff:
enabled: yes
mode: overwrite
deployment: forward
header: X-Forwarded-For
I have tried mode:extra-data (default), deployment:reverse, and header: Client-ip as well. Squert is still reporting the proxy server as the source address. The X-Forwarded-For header is in the packet, so I can see that it's being added. Does Suricata not support this correctly?
Thanks!
Wes
Sep 21, 2016, 12:33:46 PM9/21/16
to security-onion
You might want to take a look at the following to see if it helps:
https://groups.google.com/d/msg/security-onion/WmYSUk4Z1N8/XaVHmdeyAQAJ
Thanks,
Wes
Reply all
Reply to author
Forward
0 new messages