[Oisf-users] Problems with rule to detect proxy usage

[Duarte Silva]

Hello all,

first of all, follows a disclainer: I'm a newbie at writing Suricata/Snort
rules, so don't expect a smart question :P Next, the problem: I have the
need to detect if someone is using a rogue proxy in my network. I decided
to create an alert for any HTTP request that has a "Via" header different
from the expected one (Via: 1.1 PRX1 or 1.1 PRX2). Follows the rule I have
written:

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"MYRZ POLICY Rogue proxy
detected";flow:established,to_server; content:"Via|3A|"; http_header;
nocase;  pcre:!"/^Via\x3a 1\.1
PRX[1-2]\r$/Hmi";classtype:policy-violation;sid:2090001;rev:1;)

This isn't full proof, but it does work. The problem is that Suricata is
also marking request like the following with this rule.

upprofile
Pragma: playlist-seek-id=762678
Pragma: xClientGUID={3300AD50-2C39-46c0-AE0A-5EB360F56D0B}
Pragma: stream-switch-count=1
Pragma: stream-switch-entry=ffff:1:0
Accept-Language: en-ie, *;q=0.1
Connection: Keep-Alive

Any ideas??

Thanks in advance. Best regards,
Duarte Silva
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130207/809bb87d/attachment.html>