<div dir="ltr">Hello all,<br><br>first of all, follows a disclainer: I'm a newbie at writing Suricata/Snort rules, so don't expect a smart question :P Next, the problem: I have the need to detect if someone is using a rogue proxy in my network. I decided to create an alert for any HTTP request that has a "Via" header different from the expected one (Via: 1.1 PRX1 or 1.1 PRX2). Follows the rule I have written:<br>
<br>alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"MYRZ POLICY Rogue proxy detected";flow:established,to_server; content:"Via|3A|"; http_header; nocase; pcre:!"/^Via\x3a 1\.1 PRX[1-2]\r$/Hmi";classtype:policy-violation;sid:2090001;rev:1;)<br>
<br>This isn't full proof, but it does work. The problem is that Suricata is also marking request like the following with this rule.<br><br>upprofile<br>Pragma: playlist-seek-id=762678<br>Pragma: xClientGUID={3300AD50-2C39-46c0-AE0A-5EB360F56D0B}<br>
Pragma: stream-switch-count=1<br>Pragma: stream-switch-entry=ffff:1:0<br>Accept-Language: en-ie, *;q=0.1<br>Connection: Keep-Alive<br><br>Any ideas??<br><br>Thanks in advance. Best regards,<br>Duarte Silva</div>