[Oisf-users] potential false alert

Victor Julien lists at inliniac.net
Tue Dec 12 15:19:01 UTC 2017

On 12-12-17 16:11, Jeff Dyke wrote:
> I have the following requests that come in from HAProxy, which adds
> proxy_protocol[1] portion to the requests so nginx will read the
> {EXTERNAL_IP} rather than {INTERNAL_LB} for the access.log, with 4.0 i'd
> occasionally see these hitting rule 2221002 -  SURICATA HTTP request
> field missing colon. I think it is due to the leading PROXY TCP4 bits.
> The number has jumped dramatically with the update to 4.0.3 and wanted
> to get others opinions, before writing a rule to ignore it as IMO it's
> benign and proper behavior, but others matching this rule may not be. 
> -- Payload printable --
> HTTP/1.1\r\nAccept:
> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nUser-Agent:
> Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like
> Gecko) Chrome/52.0.2743.116 Safari/537.36\r\nAccept-Language:
> en-US\r\nAccept-Encoding: gzip, deflate\r\nHost: adomainiown.com
> <http://adomainiown.com>\r\n\r\n
> -- End Payload Printable --
> If anyone sees something else in here that would match that rule, that
> would also be helpful.  I've dug through the source a bit, but having a
> hard time figuring out exactly where this is parsed into an alert.
> Thanks
> [1] https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt

It may be benign traffic, it's not valid HTTP. Thats the problem here. I
guess we could add support for this proxy proto (and other similar

If you want you can open a feature ticket. A pcap with it would be very

Victor Julien
PGP: http://www.inliniac.net/victorjulien.asc

More information about the Oisf-users mailing list