[Oisf-users] potential false alert

Jeff Dyke jeff.dyke at gmail.com
Tue Dec 12 15:11:40 UTC 2017


I have the following requests that come in from HAProxy, which adds
proxy_protocol[1] portion to the requests so nginx will read the
{EXTERNAL_IP} rather than {INTERNAL_LB} for the access.log, with 4.0 i'd
occasionally see these hitting rule 2221002 -  SURICATA HTTP request field
missing colon. I think it is due to the leading PROXY TCP4 bits. The number
has jumped dramatically with the update to 4.0.3 and wanted to get others
opinions, before writing a rule to ignore it as IMO it's benign and proper
behavior, but others matching this rule may not be.

-- Payload printable --
PROXY TCP4 {EXTERNAL_IP} {INTERNAL_LB} 52627 443\r\nGET /
HTTP/1.1\r\nAccept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nUser-Agent:
Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/52.0.2743.116 Safari/537.36\r\nAccept-Language:
en-US\r\nAccept-Encoding: gzip, deflate\r\nHost: adomainiown.com\r\n\r\n
-- End Payload Printable --

If anyone sees something else in here that would match that rule, that
would also be helpful.  I've dug through the source a bit, but having a
hard time figuring out exactly where this is parsed into an alert.

Thanks

[1] https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20171212/6ede2885/attachment.html>


More information about the Oisf-users mailing list