[Oisf-users] potential false alert
Victor Julien
lists at inliniac.net
Tue Dec 12 15:19:01 UTC 2017
On 12-12-17 16:11, Jeff Dyke wrote:
> I have the following requests that come in from HAProxy, which adds
> proxy_protocol[1] portion to the requests so nginx will read the
> {EXTERNAL_IP} rather than {INTERNAL_LB} for the access.log, with 4.0 i'd
> occasionally see these hitting rule 2221002 - SURICATA HTTP request
> field missing colon. I think it is due to the leading PROXY TCP4 bits.
> The number has jumped dramatically with the update to 4.0.3 and wanted
> to get others opinions, before writing a rule to ignore it as IMO it's
> benign and proper behavior, but others matching this rule may not be.
>
> -- Payload printable --
> PROXY TCP4 {EXTERNAL_IP} {INTERNAL_LB} 52627 443\r\nGET /
> HTTP/1.1\r\nAccept:
> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nUser-Agent:
> Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like
> Gecko) Chrome/52.0.2743.116 Safari/537.36\r\nAccept-Language:
> en-US\r\nAccept-Encoding: gzip, deflate\r\nHost: adomainiown.com
> <http://adomainiown.com>\r\n\r\n
> -- End Payload Printable --
>
> If anyone sees something else in here that would match that rule, that
> would also be helpful. I've dug through the source a bit, but having a
> hard time figuring out exactly where this is parsed into an alert.
>
> Thanks
>
> [1] https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
It may be benign traffic, it's not valid HTTP. Thats the problem here. I
guess we could add support for this proxy proto (and other similar
wrappers).
If you want you can open a feature ticket. A pcap with it would be very
welcome.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list