<html><head></head><body>af-packet in copy mode. Inline IPS. Not using IPtables. I don't like that mode of IPS<br><br><font face="Arial" size="4">Leonard<br></font><br><br><br><div><strong>
From:
</strong>
Chris Boley <ilgtech75@gmail.com>
<br>
<strong>
To:
</strong>
<ljacobs@netsecuris.com>
<br>
<strong>
Cc:
</strong>
Open Information Security Foundation <oisf-users@lists.openinfosecfoundation.org>
<br>
<strong>
Sent:
</strong>
3/13/2018 8:31 PM
<br>
<strong>
Subject:
</strong>
Re: [Oisf-users] Suricata Stopping Sophos Web GUI on TCP Port 4444
<br><br><blockquote class="mori" style="margin:0 0 0 .8ex;border-left:1px solid #CCC;padding-left:1ex;"><div><div>leonard, Suricata is running as an in-line bridge or zero-copy style install?</div><div><br></div><div>Pure speculation here:</div><div> I’m suspecting that it’s causing packet fragmentation due to tcp-mss growing during ssl sessions within/over the vpn tunnel. I’m not sure how Suricata is causing that, but as a test you might try manually adjusting your mtu on your client interface to something like:</div><div><br><div>sudo ip link set dev eth0 mtu 1400</div><div>sudo iptables -A OUTPUT -p tcp --tcp-flags SYN,RST SYN -o eth0 -j TCPMSS --clamp-mss-to-pmtu </div><div><br></div><div>That should let you squeeze the SSL session through the tunnel.</div><div><br></div><div>If not, I'm out of ideas. :)</div><div>Good luck,</div><div>CB</div><div><br></div><div><br></div></div><br><div class="mcntgmail_quote"><div>On Tue, Mar 13, 2018 at 9:14 PM Leonard Jacobs <<a href="mailto:ljacobs@netsecuris.com" target="_blank" title="Send email to ljacobs@netsecuris.com" class="mailto">ljacobs@netsecuris.com</a>> wrote:<br></div><blockquote class="mcntgmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div>Why would Suricata be stopping communications to Sophos Web GUI on TCP Port 4444 through an IPSec VPN Tunnel?<br><br>The weird thing about this is packet captures on both sides of tunnel from the firewalls don't show the traffic being blocked or dropped. I disconnect the wan connection from Suricata appliance and connect directly to the firewall and everything works. Suricata running on the outside of the firewall.<br><br>In suricata.yaml, I put this HTTP_PORTS: "[80,443,4444]" and it still does not work. Does the problem have something to do with how Suricata interacts with the IPSec tunnel? But this does not make any sense because the tunnel comes up and I can even Putty into the firewall command line console and ping the firewall through the tunnel. For some reason, Suricata does not like ports 4444 and 443 to the private ip address of the firewall through the tunnel.<br><br>Thanks.<br><br><font size="4" face="Arial">Leonard<br></font><br>
<br>
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to which they
are addressed. If you have received this email in error please notify Netsecuris management at <a href="mailto:mgmt@netsecuris.com" target="_blank" title="Send email to mgmt@netsecuris.com" class="mailto">mgmt@netsecuris.com</a>. Please note that any views or opinions presented in
this email are solely those of the author and do not necessarily
represent those of Netsecuris Inc. The integrity and
security of this message cannot be guaranteed on the Internet
<br>
</div>
_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank" title="Send email to oisf-users@openinfosecfoundation.org" class="mailto">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
<br>
Conference: <a href="https://suricon.net" target="_blank">https://suricon.net</a><br>
Trainings: <a href="https://suricata-ids.org/training/" target="_blank">https://suricata-ids.org/training/</a></blockquote></div></div>
</blockquote></div><BR />
<BR />
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to which they
are addressed. If you have received this email in error please notify Netsecuris management at mgmt@netsecuris.com. Please note that any views or opinions presented in
this email are solely those of the author and do not necessarily
represent those of Netsecuris Inc. The integrity and
security of this message cannot be guaranteed on the Internet
<BR />
</body></html>