Issues with Alerting on Explicit Proxy Requests

We are running Suricata 7.0.0 in container mode using host networking. Currently, our IDPS is configured in Alert only (IDS) mode using the af_packet method.

Setup:

Client ------- Proxy (TP+EP) + Suricata ------- Server

TP: Transparent-Proxy
EP: Explicit-Proxy

Client-IP: 1.2.3.4
Proxy-IP: 50.51.52.53 (TP-Proxy-Port: 80, EP-Proxy-Port: 9001)
Server-IP: 100.101.102.102 (domain: myserver)

When the client sends a request directly to the server via the Proxy (Transparent Proxy), Suricata is able to alert on the request. However, when the client uses an Explicit Proxy, Suricata is not able to alert on the same request.

Details:

  1. TP Flow:
    curl http://myserver/index.html -A HaxerMen

  2. EP Flow:
    curl -x http://50.51.52.53:9001 http://myserver/index.html -A HaxerMen

Suricata is able to alert on the first flow (TP flow), but it fails to detect the second flow (EP flow). The only difference between these flows for Suricata is the HTTP header(as per my understanding), where in TP mode the “url” is set to “/index.html” and in EP flow the “url” is set to “http://myserver/index.html”.

Question:

Does Suricata support proxy requests (requests sent to the proxy directly instead of the server)? What is required to enable Suricata to work for both Transparent-Proxy and Explicit-Proxy modes?

Note: For performance improvement, we have configured a Suricata bypass rule for anything originating from the Proxy (50.51.52.53) with any port to any destination-ip and destination-port [pass ip 50.51.52.53 any → any any (msg:“OUR_BYPASS”; bypass; sid:2; rev:1;)]. When we removed this bypass rule, we surprisingly saw that Suricata was able to alert for EP flow as well. However, this bypass flow was for Proxy to anywhere. We still wonder why it does not alert requests sent directly to the Proxy (using Proxy header) from the client.

Please let me know if you need any more information.

It seems that direct Proxy requests are not working. When we removed the bypass rule, the Proxy to Server traffic became a normal request, allowing Suricata to alert on the outbound traffic (Proxy to Server). Somehow, using that context, it was also able to alert on the inbound traffic (Client to Proxy) for the Explicit Proxy flow.

However, this is not the case with the Transparent Proxy, where even with the bypass rule, Suricata is still able to alert on the inbound traffic (Client to Proxy).

Can you please help on this ask.