[Oisf-users] spurious alerts 2260002, 2221013 when loadbalancer adds 'PROXY'
Joe Walp
joe.walp at getbraintree.com
Tue Aug 30 23:18:27 UTC 2016
Hi, all:
We receive spurious sid:2260002
(applayer_detect_protocol_only_one_direction) and sid:2221013
(http.request_header_invalid) alerts when our loadbalancer is configured to
inject a 'PROXY' line as defined here:
http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt
http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-proxy-protocol.html#proxy-protocol
It looks like neither the layer 4 nor layer 5 parsing of Suricata
recognizes that 'PROXY' line. Has anyone worked around that? All
suggestions are welcome.
We're running '3.1 RELEASE'.
A pcap is available here:
https://drive.google.com/open?id=0Byj5y5jIctH7b0VCSW5TbFc1Tkk
- Joe Walp
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160830/617594b5/attachment.html>
More information about the Oisf-users
mailing list