<html><body><div style="color:#000; background-color:#fff; font-family:tahoma, new york, times, serif;font-size:12pt"><div style="font-family: tahoma, 'new york', times, serif; font-size: 12pt;">Hello,</div><div style="font-family: tahoma, 'new york', times, serif; font-size: 12pt;"><br></div><div style="font-family: tahoma, 'new york', times, serif; font-size: 16.000001907348633px; color: rgb(0, 0, 0); background-color: transparent; font-style: normal;">I'm using Suricata version 1.4.6 RELEASE under OpenBSD 5.4 amd64 via ipfw.</div><div style="font-family: tahoma, 'new york', times, serif; font-size: 16.000001907348633px; color: rgb(0, 0, 0); background-color: transparent; font-style: normal;">I've diverted outgoing web requests on my external interface:</div><div style="background-color: transparent;"><font face="tahoma, new york, times, serif">pass out log quick on vlan100 proto tcp from (vlan100) to any port = 80 flags S/SA scrub (reassemble
tcp) divert-packet port 701</font></div><div style="background-color: transparent;"><font face="tahoma, new york, times, serif">pass out log quick on vlan100 proto tcp from (vlan100) to any port = 443 flags S/SA scrub (reassemble tcp) divert-packet port 701</font></div><div style="font-family: tahoma, 'new york', times, serif; font-size: 16.000001907348633px; color: rgb(0, 0, 0); background-color: transparent; font-style: normal;"><br></div><div style="font-family: tahoma, 'new york', times, serif; font-size: 16.000001907348633px; color: rgb(0, 0, 0); background-color: transparent; font-style: normal;">I can successfully see the traffic and can block with testing rules.</div><div style="font-family: tahoma, 'new york', times, serif; font-size: 16.000001907348633px; color: rgb(0, 0, 0); background-color: transparent; font-style: normal;">But i've realized that Suricata is blocking some extra requests. Because of this blocking there is performance
looses:</div><div style="font-family: tahoma, 'new york', times, serif; font-size: 16.000001907348633px; color: rgb(0, 0, 0); background-color: transparent; font-style: normal;">You have to know that Suricata is blocking even when it has no rules. Here is a sample from drop.log (but has no log to fast.log with these blocks) (if a rules matched it logs to fast.log but these unwanted blocks only written to drop.log)</div><div style="font-family: tahoma, 'new york', times, serif; font-size: 16.000001907348633px; color: rgb(0, 0, 0); background-color: transparent; font-style: normal;"><span style="background-color: transparent;"> </span></div><div style="background-color: transparent;"><font face="tahoma, new york, times, serif">O=TCP SPT=443 DPT=58619 SEQ=2804935695 ACK=2371747804 WINDOW=296 ACK PSH FIN RES=0x00 URGP=0</font></div><div style="background-color: transparent;"><font face="tahoma, new york, times, serif">10/07/2013-11:39:01.632786: IN=
OUT= SRC=192.168.100.100 DST=66.196.66.213 LEN=52 TOS=0x00 TTL=64 ID=17666 PROTO=TCP SPT=35725 DPT=80 SEQ=3540599647 ACK=17933725 WINDOW=2048 ACK FIN RES=0x00 URGP=0</font></div><div style="background-color: transparent;"><font face="tahoma, new york, times, serif">10/07/2013-11:39:01.727115: IN= OUT= SRC=199.16.156.102 DST=10.10.10.34 LEN=40 TOS=0x00 TTL=47 ID=27173 PROTO=TCP SPT=443 DPT=58835 SEQ=2348162281 ACK=3955361904 WINDOW=58 ACK FIN RES=0x00 URGP=0</font></div><div style="background-color: transparent;"><font face="tahoma, new york, times, serif">10/07/2013-11:39:01.767528: IN= OUT= SRC=192.168.100.100 DST=85.111.27.167 LEN=40 TOS=0x00 TTL=64 ID=8219 PROTO=TCP SPT=33639 DPT=80 SEQ=1839439439 ACK=3038632221 WINDOW=0 ACK RST RES=0x00 URGP=0</font></div><div style="background-color: transparent;"><font face="tahoma, new york, times, serif">10/07/2013-11:39:02.781027: IN= OUT= SRC=199.16.156.102 DST=10.10.10.34 LEN=40 TOS=0x00 TTL=47 ID=27175
PROTO=TCP SPT=443 DPT=58835 SEQ=2348162281 ACK=3955361904 WINDOW=58 ACK FIN RES=0x00 URGP=0</font></div><div style="background-color: transparent;"><font face="tahoma, new york, times, serif">10/07/2013-11:39:03.127516: IN= OUT= SRC=192.168.100.100 DST=66.196.66.213 LEN=52 TOS=0x00 TTL=64 ID=61475 PROTO=TCP SPT=35725 DPT=80 SEQ=3540599647 ACK=17933725 WINDOW=2048 ACK FIN RES=0x00 URGP=0</font></div><div style="background-color: transparent;"><font face="tahoma, new york, times, serif">10/07/2013-11:39:06.127572: IN= OUT= SRC=192.168.100.100 DST=66.196.66.213 LEN=52 TOS=0x00 TTL=64 ID=12954 PROTO=TCP SPT=35725 DPT=80 SEQ=3540599647 ACK=17933725 WINDOW=2048 ACK FIN RES=0x00 URGP=0</font></div><div style="background-color: transparent;"><font face="tahoma, new york, times, serif">10/07/2013-11:39:07.638406: IN= OUT= SRC=31.13.81.1 DST=10.10.10.34 LEN=162 TOS=0x00 TTL=84 ID=13321 PROTO=TCP SPT=443 DPT=58690 SEQ=4254779218 ACK=3242616673 WINDOW=137 ACK PSH
FIN RES=0x00 URGP=0</font></div><div style="background-color: transparent;"><font face="tahoma, new york, times, serif">10/07/2013-11:39:08.399823: IN= OUT= SRC=199.16.156.230 DST=10.10.10.34 LEN=108 TOS=0x00 TTL=47 ID=30737 PROTO=TCP SPT=443 DPT=58706 SEQ=494824062 ACK=1570154700 WINDOW=115 ACK PSH FIN RES=0x00 URGP=0</font></div><div style="background-color: transparent;"><font face="tahoma, new york, times, serif">10/07/2013-11:39:08.736707: IN= OUT= SRC=68.232.35.139 DST=10.10.10.34 LEN=40 TOS=0x00 TTL=57 ID=44554 PROTO=TCP SPT=443 DPT=58833 SEQ=3355923965 ACK=3163237138 WINDOW=262 ACK FIN RES=0x00 URGP=0</font></div><div style="background-color: transparent;"><font face="tahoma, new york, times, serif">10/07/2013-11:39:08.745750: IN= OUT= SRC=199.16.156.230 DST=10.10.10.34 LEN=40 TOS=0x00 TTL=47 ID=58908 PROTO=TCP SPT=443 DPT=58824 SEQ=186188950 ACK=3184862903 WINDOW=62 ACK FIN RES=0x00 URGP=0</font></div><div style="background-color:
transparent;"><font face="tahoma, new york, times, serif">10/07/2013-11:39:09.207038: IN= OUT= SRC=68.232.35.139 DST=10.10.10.34 LEN=67 TOS=0x00 TTL=57 ID=44555 PROTO=TCP SPT=443 DPT=58833 SEQ=3355923938 ACK=3163237138 WINDOW=262 ACK PSH FIN RES=0x00 URGP=0</font></div><div style="background-color: transparent;"><font face="tahoma, new york, times, serif">10/07/2013-11:39:10.167096: IN= OUT= SRC=68.232.35.139 DST=10.10.10.34 LEN=67 TOS=0x00 TTL=57 ID=44556 PROTO=TCP SPT=443 DPT=58833 SEQ=3355923938 ACK=3163237138 WINDOW=262 ACK PSH FIN RES=0x00 URGP=0</font></div><div style="background-color: transparent;"><font face="tahoma, new york, times, serif">10/07/2013-11:39:10.280290: IN= OUT= SRC=173.194.113.65 DST=10.10.10.34 LEN=40 TOS=0x00 TTL=55 ID=14985 PROTO=TCP SPT=443 DPT=58684 SEQ=489181165 ACK=814232276 WINDOW=661 ACK FIN RES=0x00 URGP=0</font></div><div style="background-color: transparent;"><font face="tahoma, new york, times,
serif">10/07/2013-11:39:10.555450: IN= OUT= SRC=199.16.156.230 DST=10.10.10.34 LEN=108 TOS=0x00 TTL=47 ID=64942 PROTO=TCP SPT=443 DPT=58823 SEQ=2184787872 ACK=2439587835 WINDOW=136 ACK PSH FIN RES=0x00 URGP=0</font></div><div style="background-color: transparent;"><font face="tahoma, new york, times, serif">10/07/2013-11:39:10.857528: IN= OUT= SRC=192.168.100.100 DST=85.111.27.166 LEN=40 TOS=0x00 TTL=64 ID=25578 PROTO=TCP SPT=16044 DPT=80 SEQ=4286671192 ACK=2754483115 WINDOW=0 ACK RST RES=0x00 URGP=0</font></div><div style="background-color: transparent;"><font face="tahoma, new york, times, serif">10/07/2013-11:39:11.005811: IN= OUT= SRC=173.194.112.193 DST=10.10.10.34 LEN=40 TOS=0x00 TTL=55 ID=59883 PROTO=TCP SPT=443 DPT=58685 SEQ=2604475573 ACK=1338761892 WINDOW=661 ACK FIN RES=0x00 URGP=0</font></div><div style="background-color: transparent;"><font face="tahoma, new york, times, serif">10/07/2013-11:39:12.087140: IN= OUT= SRC=68.232.35.139
DST=10.10.10.34 LEN=67 TOS=0x00 TTL=57 ID=44557 PROTO=TCP SPT=443 DPT=58833 SEQ=3355923938 ACK=3163237138 WINDOW=262 ACK PSH FIN RES=0x00 URGP=0</font></div><div style="background-color: transparent;"><font face="tahoma, new york, times, serif">10/07/2013-11:39:12.127531: IN= OUT= SRC=192.168.100.100 DST=66.196.66.213 LEN=52 TOS=0x00 TTL=64 ID=8958 PROTO=TCP SPT=35725 DPT=80 SEQ=3540599647 ACK=17933725 WINDOW=2048 ACK FIN RES=0x00 URGP=0</font></div><div style="background-color: transparent;"><font face="tahoma, new york, times, serif">10/07/2013-11:39:15.937229: IN= OUT= SRC=68.232.35.139 DST=10.10.10.34 LEN=67 TOS=0x00 TTL=57 ID=44558 PROTO=TCP SPT=443 DPT=58833 SEQ=3355923938 ACK=3163237138 WINDOW=262 ACK PSH FIN RES=0x00 URGP=0</font></div><div style="background-color: transparent;"><font face="tahoma, new york, times, serif">10/07/2013-11:39:16.369792: IN= OUT= SRC=68.232.35.139 DST=10.10.10.34 LEN=67 TOS=0x00 TTL=57 ID=59813 PROTO=TCP SPT=443
DPT=58620 SEQ=4064550715 ACK=3904868233 WINDOW=296 ACK PSH FIN RES=0x00 URGP=0</font></div><div style="background-color: transparent;"><font face="tahoma, new york, times, serif">10/07/2013-11:39:17.927544: IN= OUT= SRC=192.168.100.100 DST=85.111.27.167 LEN=40 TOS=0x00 TTL=64 ID=27887 PROTO=TCP SPT=2623 DPT=80 SEQ=2600092122 ACK=318670551 WINDOW=0 ACK RST RES=0x00 URGP=0</font></div><div style="font-family: tahoma, 'new york', times, serif; font-size: 12pt;"><br></div><div style="font-family: tahoma, 'new york', times, serif; font-size: 12pt;"><br></div><div style="font-family: tahoma, 'new york', times, serif; font-size: 12pt;"><div style="font-family: 'Times New Roman'; font-size: medium;"><font face="tahoma, new york, times, serif">Thanks for your help.</font></div><div style="font-family: 'Times New Roman'; font-size: medium;"><font face="tahoma, new york, times, serif">--</font></div><div style="font-family: 'Times New Roman'; font-size:
16px;"><font face="tahoma, new york, times, serif">Theron ZORBAS</font></div></div><div style="font-family: tahoma, 'new york', times, serif; font-size: 12pt;"><br></div><div style="font-family: tahoma, 'new york', times, serif; font-size: 12pt;">Note: </div><div style="font-family: tahoma, 'new york', times, serif; font-size: 12pt;">stream:</div><div><font face="tahoma, new york, times, serif">checksum-validation: no</font><br></div><div><font face="tahoma, new york, times, serif">inline: yes<br></font></div><div><br></div></div></body></html>