[Oisf-users] spurious alerts 2260002, 2221013 when loadbalancer adds 'PROXY'

Joe Walp joe.walp at getbraintree.com
Tue Aug 30 23:18:27 UTC 2016

Hi, all:

We receive spurious sid:2260002
(applayer_detect_protocol_only_one_direction) and sid:2221013
(http.request_header_invalid) alerts when our loadbalancer is configured to
inject a 'PROXY' line as defined here:



It looks like neither the layer 4 nor layer 5 parsing of Suricata
recognizes that 'PROXY' line.  Has anyone worked around that?  All
suggestions are welcome.

We're running '3.1 RELEASE'.

A pcap is available here:

- Joe Walp
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160830/617594b5/attachment.html>

More information about the Oisf-users mailing list