<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Wed, Aug 31, 2016 at 9:00 AM,  <span dir="ltr"><<a href="mailto:oisf-users-request@lists.openinfosecfoundation.org" target="_blank">oisf-users-request@lists.openinfosecfoundation.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br>
On 31-08-16 01:18, Joe Walp wrote:<br>
> We receive spurious sid:2260002<br>
> (applayer_detect_protocol_<wbr>only_one_direction) and sid:2221013<br>
> (http.request_header_invalid) alerts when our loadbalancer is configured<br>
> to inject a 'PROXY' line as defined here:<br>
><br>
> <a href="http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt" rel="noreferrer" target="_blank">http://www.haproxy.org/<wbr>download/1.5/doc/proxy-<wbr>protocol.txt</a><br>
><br>
> <a href="http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-proxy-protocol.html#proxy-protocol" rel="noreferrer" target="_blank">http://docs.aws.amazon.com/<wbr>elasticloadbalancing/latest/<wbr>classic/enable-proxy-protocol.<wbr>html#proxy-protocol</a><br>
><br>
> It looks like neither the layer 4 nor layer 5 parsing of Suricata<br>
> recognizes that 'PROXY' line.  Has anyone worked around that?  All<br>
> suggestions are welcome.<br>
><br>
> We're running '3.1 RELEASE'.<br>
><br>
> A pcap is available here:<br>
> <a href="https://drive.google.com/open?id=0Byj5y5jIctH7b0VCSW5TbFc1Tkk" rel="noreferrer" target="_blank">https://drive.google.com/open?<wbr>id=<wbr>0Byj5y5jIctH7b0VCSW5TbFc1Tkk</a><br>
<br>
The events are correct. The extra data is not HTTP. Suricata recognizes<br>
the HTTP by the response and then correctly warns you that it didn't<br>
recognize the protocol in both direction.<br>
<br>
Libhtp is then considering the proxy protocol line as the request line<br>
and the real request line as a malformed header.<br>
<br>
There is no quick fix or workaround for this. The solution would be to<br>
add support for this proxy protocol to Suricata (and libhtp perhaps).<br>
<br>
Feel free to open a feature ticket.<br>
<br>
--<br>
------------------------------<wbr>---------------<br>
Victor Julien<br>
<a href="http://www.inliniac.net/" rel="noreferrer" target="_blank">http://www.inliniac.net/</a><br>
PGP: <a href="http://www.inliniac.net/victorjulien.asc" rel="noreferrer" target="_blank">http://www.inliniac.net/<wbr>victorjulien.asc</a><br>
------------------------------<wbr>---------------<br>
<br></blockquote><div><br></div><div><br></div><div>Victor et al:</div><div><br></div><div>Thanks for the prompt response!</div><div><br></div><div>We've compiled Suricata locally, and we'll look into patching.</div><div><br></div><div>Two persons on our team have attempted to register at <a href="http://redmine.openinfosecfoundation.org/projects/suricata">redmine.openinfosecfoundation.org/projects/suricata</a> as a prerequisite for filing a feature ticket.  After 18 hours, we haven't yet received a confirmation email to activate either account.  Is this typical?</div><div><br></div><div>Kind regards,</div><div>Joe Walp</div></div></div></div>