Suricata and X-Forwarded-For header

489 views
Skip to first unread message

kenpotf

unread,
Sep 21, 2016, 9:57:06 AM9/21/16
to security-onion
All,
My proxy server is sending the x-forwarded-for header, but Suricata/Sguil/Squert is still reporting the proxy server's address as the source of the traffic. I have xff enabled in suricata.yaml. Currently, my settings are below:

xff:
enabled: yes
mode: overwrite
deployment: forward
header: X-Forwarded-For

I have tried mode:extra-data (default), deployment:reverse, and header: Client-ip as well. Squert is still reporting the proxy server as the source address. The X-Forwarded-For header is in the packet, so I can see that it's being added. Does Suricata not support this correctly?

Thanks!

Wes

unread,
Sep 21, 2016, 12:33:46 PM9/21/16
to security-onion

You might want to take a look at the following to see if it helps:

https://groups.google.com/d/msg/security-onion/WmYSUk4Z1N8/XaVHmdeyAQAJ

Thanks,
Wes

Reply all
Reply to author
Forward
0 new messages