If you’re responsible for keeping your network safe, you know the feeling: Attackers are constantly finding new ways to slip past defenses, hide their tracks, or make a mess that’s hard to clean up. Today, I’m excited to break down our latest release—NIPS 5.4 and 5.5. This isn’t just a routine update; it’s a direct response to the tricky, real-world problems our teams and customers face every day.
X-Forwarded-For (XFF) Recognition – Seeing the Real Attacker Behind the Proxy
Here’s the classic headache: Your threat logs light up with an attack… but the source IP is your own cloud proxy or a third-party service IP. Without XFF recognition, your security operations team is left chasing ghosts. They might block a proxy IP, which does nothing to stop the real attacker and could break legitimate traffic for other users. Tracing the true origin of an attack for forensics becomes a manual, frustrating, and often impossible detective game. Customers needed a way to automatically cut through the proxy fog.
With NIPS new release, the system now defaults to parsing and recording the client IP from the X-Forwarded-For header. We’ve added a new “Proxy IP Information Display” switch in the global threat protection settings (enabled by default). When this is on, critical security modules like IPS, Anti-Virus, and Sandboxing will process threat logs differently. If an incoming request contains proxy chain information, the logs won’t just show the last hop; they’ll display the relevant proxy IP details and, most importantly, retain the full proxy chain. You can now take action against the actual malicious client IP, not an innocent intermediary. Goodbye to misplaced blocks.
Optimized HTTP Multi-Decoding – No More Hiding in Plain Sight
Attackers are crafty. They know many security systems perform basic checks on incoming data. So, they layer on multiple encodings—like wrapping a payload in Unicode, then URL-encoding it—to bypass signature-based detection. Without peeling back these layers, the threat slips right through. This evasion technique was a significant blind spot, forcing admins to choose between deeper inspection and performance.
Our new HTTP Multi-Decoding engine tackles this head-on. The system now supports multi-layer, recursive decoding of HTTP traffic that uses URL or Unicode formats. This means it can intelligently decode a payload that’s been encoded two, three, or more times, revealing the original content for inspection. For fine-tuned control, administrators can configure the multi-decoding behavior via CLI commands, deciding how deeply the IPS should dig into encoded payloads. Obfuscation techniques that relied on nested encoding are effectively neutralized. Attackers can’t hide in the layers anymore.
NIPS 5.4 and 5.5 are about removing the advantages attackers have enjoyed in complex, modern network environments. These updates empower your security team to act with confidence, investigate with clarity, and stop threats more effectively than ever before. For more details, reach out to Hillstone Networks representative.
