Suricata rules & the proxy protocol

Hello everyone,

Currently I have the following setup:

I’m running two HAproxy servers. Between those two HAproxy servers flows HTTP traffic. Suricata is listening on this traffic. In the first place it was working just fine, and triggering some basic HTTP alert message that looks for a header that contains a certain phrase (custom rule).

But, from HAproxy server 1 to HAproxy server 2, I needed to send the Proxy Protocol V2. But, this breaks the custom rule (not triggering at all). It triggered some other rules though, about abnormal content encoding & request header invalid. I decided to do it the dirty way, and commented those alerts out (don’t hate me please).

The proxy header is looking a bit weird when inspecting it with wireshark, could this be the reason for the alert not to trigger?

Screenshot of wireshark

I’m wondering if anyone could help me out finding out the problem.

This looks indeed a bit strange. Can you share a bit more details and configuration of your setup?

So I’m performing TLS-decryption with HAProxy. Because the unencrypted traffic, that I’m intercepting for inspection, flows between two HAproxy servers; the packets will always have their src and dst ip come from those two servers. For that reason, I am sending the proxy protocol header between those servers. There are two proxy protocol versions, v1 which is a human readable version of the header, and version 2 which is a binary form. I must use v2.

Wireshark does not properly parse the protocol somehow, while the proxy protocol dissector is enabled. I’m also able to find and decode the header manually. I Guess suricata is having the same decoding issue as wireshark. The QUIT word thats visible in wireshark is probably just some coincidence I would assume, since there are no errors and the proxies are working as I wish and not producing errors.

I think we had such a request or scenario in the past, didn’t find it yet. Someone was looking into that if it would be possible to extract some data from the Proxy Protocol (I don’t know which version). Can you forge some testing data there and create pcaps that you could share?

proxyproto[1].pcap (3.8 MB)
I can share this. Sorry for the delayed reply.