We are running Suricata 7.0.0 in container mode using host networking. Currently, our IDPS is configured in Alert only (IDS) mode using the af_packet method.
Setup:
Client ------- Proxy (TP+EP) + Suricata ------- Server
TP: Transparent-Proxy
EP: Explicit-Proxy
Client-IP: 1.2.3.4
Proxy-IP: 50.51.52.53 (TP-Proxy-Port: 80, EP-Proxy-Port: 9001)
Server-IP: 100.101.102.102 (domain: myserver)
When the client sends a request directly to the server via the Proxy (Transparent Proxy), Suricata is able to alert on the request. However, when the client uses an Explicit Proxy, Suricata is not able to alert on the same request.
Details:
-
TP Flow:
curl http://myserver/index.html -A HaxerMen -
EP Flow:
curl -x http://50.51.52.53:9001 http://myserver/index.html -A HaxerMen
Suricata is able to alert on the first flow (TP flow), but it fails to detect the second flow (EP flow). The only difference between these flows for Suricata is the HTTP header(as per my understanding), where in TP mode the “url” is set to “/index.html” and in EP flow the “url” is set to “http://myserver/index.html”.
Question:
Does Suricata support proxy requests (requests sent to the proxy directly instead of the server)? What is required to enable Suricata to work for both Transparent-Proxy and Explicit-Proxy modes?
Note: For performance improvement, we have configured a Suricata bypass rule for anything originating from the Proxy (50.51.52.53) with any port to any destination-ip and destination-port [pass ip 50.51.52.53 any → any any (msg:“OUR_BYPASS”; bypass; sid:2; rev:1;)]. When we removed this bypass rule, we surprisingly saw that Suricata was able to alert for EP flow as well. However, this bypass flow was for Proxy to anywhere. We still wonder why it does not alert requests sent directly to the Proxy (using Proxy header) from the client.
Please let me know if you need any more information.