Currently I have the following setup:
I’m running two HAproxy servers. Between those two HAproxy servers flows HTTP traffic. Suricata is listening on this traffic. In the first place it was working just fine, and triggering some basic HTTP alert message that looks for a header that contains a certain phrase (custom rule).
But, from HAproxy server 1 to HAproxy server 2, I needed to send the Proxy Protocol V2. But, this breaks the custom rule (not triggering at all). It triggered some other rules though, about abnormal content encoding & request header invalid. I decided to do it the dirty way, and commented those alerts out (don’t hate me please).
The proxy header is looking a bit weird when inspecting it with wireshark, could this be the reason for the alert not to trigger?
I’m wondering if anyone could help me out finding out the problem.