[Oisf-users] Problems with rule to detect proxy usage

[Anoop Saldanha]

On Thu, Feb 7, 2013 at 11:23 PM, Duarte Silva
<duarte.silva at serializing.me> wrote:
> Hello all,
>
> first of all, follows a disclainer: I'm a newbie at writing Suricata/Snort
> rules, so don't expect a smart question :P Next, the problem: I have the
> need to detect if someone is using a rogue proxy in my network. I decided to
> create an alert for any HTTP request that has a "Via" header different from
> the expected one (Via: 1.1 PRX1 or 1.1 PRX2). Follows the rule I have
> written:
>
> alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"MYRZ POLICY Rogue proxy
> detected";flow:established,to_server; content:"Via|3A|"; http_header;
> nocase;  pcre:!"/^Via\x3a 1\.1
> PRX[1-2]\r$/Hmi";classtype:policy-violation;sid:2090001;rev:1;)
>
> This isn't full proof, but it does work. The problem is that Suricata is
> also marking request like the following with this rule.
>
> upprofile
> Pragma: playlist-seek-id=762678
> Pragma: xClientGUID={3300AD50-2C39-46c0-AE0A-5EB360F56D0B}
> Pragma: stream-switch-count=1
> Pragma: stream-switch-entry=ffff:1:0
> Accept-Language: en-ie, *;q=0.1
> Connection: Keep-Alive
>
> Any ideas??
>

If the header is what you posted, we shouldn't alert.  Can you supply
a pcap against this?  You can share it privately if you want to.

-- 
Anoop Saldanha