Imagine a topology like this.
When an attacker try to intrude your system and you want to catch him with your IDS solution (in this scenario, Suricata) you will see the internal interface IP of the gateway device as source ip for your attacker. As you can think, this will complicate the analysis process. Who wants to see 10.1.23.1 as attack source ip? However, if your gateway device (WAF, NGFW etc.) has a capability for forwarding WAN IP via X-Forwarded-For, Suricata can replace the source ip with X-Forwarded-For ip.
For this purpose, there is a flag called xff for Suricata above 2.0 version.
We're editing Suricata.yaml file
xff: enabled: yes mode: overwrite header: X-Forwarded-For
Here, enabled:yes opens this flag. For mode part, there is two options. In the overwrite mode, if the reported IP address in the HTTP
X-Forwarded-For header is of a different version of the packet received, it will fall-back to extra-data mode. For header section, it's the HTTP Header where your extra IP data resides. Default is X-Forwarded-For but if you want to use another header for this purpose, you can write it here (like Client-IP etc...)