[Oisf-users] Suricata X-Forwarded For Question

Duarte Silva duarte.silva at serializing.me
Tue Oct 28 20:17:03 UTC 2014

On Tuesday 28 October 2014 17:49:58 Peter Manev wrote:
> On Tue, Oct 28, 2014 at 3:32 PM, Kevin Ross <kevross33 at googlemail.com> 
> > Hi,
> > 
> > I use X-Forwarded-For overwriting. I have new proxies though and before it
> > would be typically a single IP but now it is X-Forwarded-For: CLIENT_IP,
> >

With those new proxies you are using, the vendor is actually implementing the 
XFF specification correctly where the left-most value is the original client 
and where each successive proxy that passed the request adds it's IP address 
to the right.

In Suricata, the XFF code will use the last entry because it has been designed 
to be used in a reverse proxy environment, meaning, in an environment where 
you have a reverse proxy (Apache, F5, etc.), routing traffic to the internal web 
servers where the last IP address of the XFF header is the actual IP from the 
client that requested the page, image, etc.

This is so to avoid spoofing, the last IP is the one added by the reverse proxy 
and the one that should be trusted.

One way I could see this being fixed is by adding a configuration option in 
order for the XFF code to behave differently depending on the deployment, 
allowing the user to choose.


> > 
> > I have no idea why this is the case it would add that in but basically
> > Suricata is taking the loopback as the overwrite address. Can I specify
> > which which one to use? If not I will need to disable this which I would
> > prefer not to until vendor responds :(
> > 
> > 
> > Thanks,
> > Kevin
> I am not sure I understand - could you give an example of a log entry
> or something ?

More information about the Oisf-users mailing list