Hi Jean, On Sun, May 28, 2017 at 09:15:56AM +0000, Jean LUBATTI wrote: > Hi Willy, > > I just tried the line "tcp-request content capture req.hdrs_bin len 2000" in > the config but I get: > > [ALERT] 147/073131 (13352) : parsing [/etc/haproxy/haproxy.cfg:42] : > 'tcp-request content capture' : unknown fetch method 'req.hdrs_bin' > [ALERT] 147/073131 (13352) : Error(s) found in configuration file : > /etc/haproxy/haproxy.cfg > [ALERT] 147/073131 (13352) : Fatal errors found in configuration. > Errors found in configuration file, check it with 'haproxy check'.
Sorry, this one is only in 1.8-dev. > I changed it to : > > tcp-request content capture req.payload(0,2000) len 2000 > > but I don't think it works (at least not when inspecting the core on s->req). Ah, I forgot to mention you need to allow a delay for the request to arrive, you need to add this : tcp-request inspect-delay 10s (for example) > Here is the output of haproxy running under gdb when the attack happens: > > 000001d7:ft_appmarket_preprod_services_ingenico_com_443.clireq[0027:ffffffff]: > GET /wp-content/uploads/ HTTP/1.1 > 000001d7:ft_appmarket_preprod_services_ingenico_com_443.clihdr[0027:ffffffff]: > Host: 185.139.245.111 > 000001d7:ft_appmarket_preprod_services_ingenico_com_443.clihdr[0027:ffffffff]: > User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:40.0) Gecko/20100101 > Firefox/40.0 > 000001d7:ft_appmarket_preprod_services_ingenico_com_443.clihdr[0027:ffffffff]: > Cookie: SERVERID=ppmktplportals01fe > 000001d7:ft_appmarket_preprod_services_ingenico_com_443.clihdr[0027:ffffffff]: > Accept-Encoding: gzip > 000001d8:ft_appmarket_preprod_services_ingenico_com_443.clireq[0028:ffffffff]: > GET /wp-content/uploads/2015/ HTTP/1.1 > 000001d8:ft_appmarket_preprod_services_ingenico_com_443.clihdr[0028:ffffffff]: > Host: 185.139.245.111 > 000001d8:ft_appmarket_preprod_services_ingenico_com_443.clihdr[0028:ffffffff]: > User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:40.0) Gecko/20100101 > Firefox/40.0 > 000001d8:ft_appmarket_preprod_services_ingenico_com_443.clihdr[0028:ffffffff]: > Cookie: SERVERID=ppmktplportals01fe > 000001d8:ft_appmarket_preprod_services_ingenico_com_443.clihdr[0028:ffffffff]: > Accept-Encoding: gzip > 000001d7:appmarket_preprod_services_ingenico_com_8443.srvrep[0027:0029]: > HTTP/1.1 404 Not Found > 000001d7:appmarket_preprod_services_ingenico_com_8443.srvhdr[0027:0029]: > Server: Apache-Coyote/1.1 > 000001d7:appmarket_preprod_services_ingenico_com_8443.srvhdr[0027:0029]: > Content-Length: 0 > 000001d7:appmarket_preprod_services_ingenico_com_8443.srvhdr[0027:0029]: > Date: Sun, 28 May 2017 09:03:04 GMT > 000001d7:appmarket_preprod_services_ingenico_com_8443.srvhdr[0027:0029]: > Connection: close > 000001d8:appmarket_preprod_services_ingenico_com_8443.srvrep[0028:002a]: > HTTP/1.1 404 Not Found > 000001d8:appmarket_preprod_services_ingenico_com_8443.srvhdr[0028:002a]: > Server: Apache-Coyote/1.1 > 000001d8:appmarket_preprod_services_ingenico_com_8443.srvhdr[0028:002a]: > Content-Length: 0 > 000001d8:appmarket_preprod_services_ingenico_com_8443.srvhdr[0028:002a]: > Date: Sun, 28 May 2017 09:03:04 GMT > 000001d8:appmarket_preprod_services_ingenico_com_8443.srvhdr[0028:002a]: > Connection: close > 000001d9:ft_appmarket_preprod_services_ingenico_com_443.clireq[0025:ffffffff]: > GET /language/en-GB/en-GB.xml HTTP/1.1 > 000001d9:ft_appmarket_preprod_services_ingenico_com_443.clihdr[0025:ffffffff]: > Host: 185.139.245.111 > 000001d9:ft_appmarket_preprod_services_ingenico_com_443.clihdr[0025:ffffffff]: > User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:40.0) Gecko/20100101 > Firefox/40.0 > 000001d9:ft_appmarket_preprod_services_ingenico_com_443.clihdr[0025:ffffffff]: > Cookie: SERVERID=ppmktplportals01fe > 000001d9:ft_appmarket_preprod_services_ingenico_com_443.clihdr[0025:ffffffff]: > Accept-Encoding: gzip > > Program received signal SIGSEGV, Segmentation fault. > _wordcopy_fwd_dest_aligned (dstp=14712784, srcp=14712832, > len=2305843009213203548) at wordcopy.c:196 > 196 a0 = ((op_t *) srcp)[0]; > (gdb) > > Attaching to the mail the core and the binary. Thanks for all this, I think I should be able to reproduce it with all this, otherwise I'll recontact you :-) Thanks! Willy