[Oisf-users] spurious alerts 2260002, 2221013 when loadbalancer adds 'PROXY'
Joe Walp
joe.walp at getbraintree.com
Wed Aug 31 16:58:51 UTC 2016
On Wed, Aug 31, 2016 at 9:00 AM, <
oisf-users-request at lists.openinfosecfoundation.org> wrote:
>
> On 31-08-16 01:18, Joe Walp wrote:
> > We receive spurious sid:2260002
> > (applayer_detect_protocol_only_one_direction) and sid:2221013
> > (http.request_header_invalid) alerts when our loadbalancer is configured
> > to inject a 'PROXY' line as defined here:
> >
> > http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt
> >
> > http://docs.aws.amazon.com/elasticloadbalancing/latest/
> classic/enable-proxy-protocol.html#proxy-protocol
> >
> > It looks like neither the layer 4 nor layer 5 parsing of Suricata
> > recognizes that 'PROXY' line. Has anyone worked around that? All
> > suggestions are welcome.
> >
> > We're running '3.1 RELEASE'.
> >
> > A pcap is available here:
> > https://drive.google.com/open?id=0Byj5y5jIctH7b0VCSW5TbFc1Tkk
>
> The events are correct. The extra data is not HTTP. Suricata recognizes
> the HTTP by the response and then correctly warns you that it didn't
> recognize the protocol in both direction.
>
> Libhtp is then considering the proxy protocol line as the request line
> and the real request line as a malformed header.
>
> There is no quick fix or workaround for this. The solution would be to
> add support for this proxy protocol to Suricata (and libhtp perhaps).
>
> Feel free to open a feature ticket.
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
>
Victor et al:
Thanks for the prompt response!
We've compiled Suricata locally, and we'll look into patching.
Two persons on our team have attempted to register at
redmine.openinfosecfoundation.org/projects/suricata as a prerequisite for
filing a feature ticket. After 18 hours, we haven't yet received a
confirmation email to activate either account. Is this typical?
Kind regards,
Joe Walp
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160831/9138e67f/attachment-0002.html>
More information about the Oisf-users
mailing list