X-Forwarded-For headers non-interpretation in IDP log
poc last edited by
We are trying to interpret, analyze and make correlations from some of the IDP events generated by SRX-3400 and SRX-650 devices. But we cannot achieve what we need because in some HTTP alerts the source IP address is from Akamai (http://www.akamai.com/) and not from the attacker.
In deeper analysis we can trace back the attackers IP address, from the binary logs including the packet trace, looking at the X-Forwarded-For HTTP headers. But with this approach we cannot define proper actions at IDP level.
Also, as far as we know, the SRX-650 series doesn’t support packet traces, so we are blind here and can’t trace the real source of the attacks we are receiving.
¿We are missing something, or it is not possible to interpret the X-Forwarded-For headers directly?
Any guidance or information will be much appreciated, thank you in advance and have a nice day!