Suricata and TLS Termination: how to log the original src and dst

Hey Team,

I have the following setup that allows IDS for SSL traffic:

internal->firewall->tls_termination->suricata->firewall->internet

Suricata create the alerts with src:<tls_termination> dst: , while the desired outcome is ofcourse: src: dst:

I have enabled adding http headers within the tls_termination to send the internal:port internet:port information.

I have initially thought of using the xff feature in eve logging, but it allows only one ip address.

My question is: can I extract and add the orig src and dst information to be part of the alert output ?

Best regards,

Shany

Can you forge a test pcap so we can look into it?

Sure,

the pcpap is here:
tcp-dump-balmas.pcap (54.5 KB)

note that
127.2.0.1 is the tls_termination service
127.3.0.1 is the proxy that resend the traffic as https traffic

Well if you have Suricata positioned after the tls termination happened and the connection is just seen between those two 127.x.y.z IPs without the initial SRC in the package, I see no way how Suricata would magically know the initial SRC IP.

Do you see the initial SRC IP within the pcap?

I do send the original src and dst IP as part of the headers sent by the TLS termination. Currently XFF is limited to extract only one IP address. Is there a way to extract the additional headers that are sent for the src and dst and have them as part of the “alert” output in eve.json ?
This way I can recreate the original 5 tuple together with the signature output

Thoughts ?

Shany

Now I see it as azfw-forwarded is that what you refer to?

Yes I can provide a header with the “original” src->dst but I want to be able to have Suricata output it as part of the alert payload, is that possible ?