<div dir="ltr"><div><div>Hi, all:</div><div><br></div><div>We receive spurious sid:2260002 (applayer_detect_protocol_only_one_direction) and sid:2221013 (http.request_header_invalid) alerts when our loadbalancer is configured to inject a 'PROXY' line as defined here:</div><div><br></div><div><a href="http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt">http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt</a></div><div><br></div><div><a href="http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-proxy-protocol.html#proxy-protocol">http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-proxy-protocol.html#proxy-protocol</a></div><div><br></div><div>It looks like neither the layer 4 nor layer 5 parsing of Suricata recognizes that 'PROXY' line.  Has anyone worked around that?  All suggestions are welcome.</div><div><br></div><div>We're running '3.1 RELEASE'.</div><div><br></div><div>A pcap is available here:</div><div><a href="https://drive.google.com/open?id=0Byj5y5jIctH7b0VCSW5TbFc1Tkk">https://drive.google.com/open?id=0Byj5y5jIctH7b0VCSW5TbFc1Tkk</a><br></div><div><br></div><div>- Joe Walp</div><div><br></div></div></div>