Bug #2333
closedSuricata doesn't see http traffic as http traffic in wierd proxy
Description
I don't know if this is a bug or expected behavior as it's an odd case.
In trying to make rules for localtunnel:
https://localtunnel.github.io/www/
Suricata wouldn't recognize certain (non standard) http traffic. Pcap attached.
localtunnel reaches out, get a config, then connects to localtunnel(dot)me 10 times (this looks configurable) and waits for data. When someone goes to the public url, that data is shoved down one of the connections to the client machine, which pipes it off to whatever you set it up, in this case it was lighttpd.
The http data coming down from the "proxy" is all busted. I am not sure if Suricata doesn't see as http because of the bustedness of it, or if the wrong IP in the conversation is sending the data, a GET in this case.
The conversation starts in packet 65 of attached pcap.
I separated the exfil conversation for testing. It's attached as exfil.pcap
This fires:
alert tcp any any -> any any (msg:"ET POLICY localtunnel Data Exfiltration"; content:"host|3a 20|"; sid:303033; rev:1;)
This does not:
alert http any any -> any any (msg:"ET POLICY localtunnel Data Exfiltration"; content:"host|3a 20|"; sid:303034; rev:1;)
Files