I have installed suricata behind the proxy server. I add the client source IP address to the proxy using the xff header. I also set the eve log on the suricata using x-forwarded-for and everything is fine in the eve log. However, I have a problem if I write a rule with a specific IP address. Nothing is written to the log. The same issue for geoip.
Sample rules (This is just an example):
client source IP: 18.104.22.168
proxy source IP:22.214.171.124
A) alert http any any -> any any (msg: “TEST IP”; sid: 1; rev: 1;)
B) alert http 126.96.36.199 any -> any any (msg: “TEST with SOURCE IP”; sid: 2; rev: 1;)
Example A works fine and is written to the log with the correct client source IP address.
Example B does not work and is not written to the log at all.
If I write a rule ( C ) with a source proxy IP address, everything works. I see the original client source IP address in the eve log (188.8.131.52)
C) alert http 184.108.40.206 any -> any (msg: “TEST with SOURCE IP”; sid: 2; rev: 1;)
Is there any way for both rules and geoip to work with the xff header and not with the source proxy IP address?
I apologize for my English.