Replacing source ip with X-Forwarded-For ip in Suricata

Imagine a topology like this.

When an attacker try to intrude your system and you want to catch him with your IDS solution (in this scenario, Suricata) you will see the internal interface IP of the gateway device as source ip for your attacker. As you can think, this will complicate the analysis process. Who wants to see as attack source ip? However, if your gateway device (WAF, NGFW etc.) has a capability for forwarding WAN IP via X-Forwarded-For, Suricata can replace the source ip with X-Forwarded-For ip.

For this purpose, there is a flag called xff for Suricata above 2.0 version.

We're editing Suricata.yaml file

        enabled: yes
        mode: overwrite 
        header: X-Forwarded-For

Here, enabled:yes opens this flag. For mode part, there is two options. In the overwrite mode, if the reported IP address in the HTTP
X-Forwarded-For header is of a different version of the packet received, it will fall-back to extra-data mode. For header section, it's the HTTP Header where your extra IP data resides. Default is X-Forwarded-For but if you want to use another header for this purpose, you can write it here (like Client-IP etc...)


Read more posts by this author.