[Oisf-users] spurious alerts 2260002, 2221013 when loadbalancer adds 'PROXY'

Victor Julien lists at inliniac.net
Wed Aug 31 06:39:26 UTC 2016

On 31-08-16 01:18, Joe Walp wrote:
> We receive spurious sid:2260002
> (applayer_detect_protocol_only_one_direction) and sid:2221013
> (http.request_header_invalid) alerts when our loadbalancer is configured
> to inject a 'PROXY' line as defined here:
> http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt
> http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-proxy-protocol.html#proxy-protocol
> It looks like neither the layer 4 nor layer 5 parsing of Suricata
> recognizes that 'PROXY' line.  Has anyone worked around that?  All
> suggestions are welcome.
> We're running '3.1 RELEASE'.
> A pcap is available here:
> https://drive.google.com/open?id=0Byj5y5jIctH7b0VCSW5TbFc1Tkk

The events are correct. The extra data is not HTTP. Suricata recognizes
the HTTP by the response and then correctly warns you that it didn't
recognize the protocol in both direction.

Libhtp is then considering the proxy protocol line as the request line
and the real request line as a malformed header.

There is no quick fix or workaround for this. The solution would be to
add support for this proxy protocol to Suricata (and libhtp perhaps).

Feel free to open a feature ticket.

Victor Julien
PGP: http://www.inliniac.net/victorjulien.asc

More information about the Oisf-users mailing list