<div><div dir="auto">I’m not really sure if by posting this that I’m adding to the confusion or helping steer you Down the correct path? Anyway this article seems sort of relevant but I might be sending you on a goose chase. Proceed with caution ;)</div><div dir="auto"><br></div><div dir="auto"><div><a href="https://blog.inliniac.net/2013/04/19/suricata-handling-of-multiple-different-synacks/">https://blog.inliniac.net/2013/04/19/suricata-handling-of-multiple-different-synacks/</a></div><br></div><br><div class="gmail_quote"><div>On Tue, Apr 10, 2018 at 4:18 PM Albert Whale <<a href="mailto:Albert.Whale@it-security-inc.com">Albert.Whale@it-security-inc.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p>Can someone please tell me why the connecting to HTTPS websites
are problematic when using the nfqueue run mode? This doesn't
happen when I am using af-packet mode.</p>
<p>In fact in nfqueue mode, I also get the following alerts from
fast.log:</p>
<p>04/10/2018-13:05:49.504292 [**] [1:2210007:2] ITS Safe STREAM
3way handshake SYNACK with wrong ack [**] [Classification: Generic
Protocol Command Decode] [Priority: 3] {TCP} <a href="http://17.249.105.246:443" target="_blank">17.249.105.246:443</a>
-> <a href="http://192.168.1.180:61378" target="_blank">192.168.1.180:61378</a><br>
04/10/2018-13:05:50.534691 [**] [1:2210007:2] ITS Safe STREAM
3way handshake SYNACK with wrong ack [**] [Classification: Generic
Protocol Command Decode] [Priority: 3] {TCP} <a href="http://17.249.105.246:443" target="_blank">17.249.105.246:443</a>
-> <a href="http://192.168.1.180:61378" target="_blank">192.168.1.180:61378</a><br>
04/10/2018-13:05:51.570889 [**] [1:2210007:2] ITS Safe STREAM
3way handshake SYNACK with wrong ack [**] [Classification: Generic
Protocol Command Decode] [Priority: 3] {TCP} <a href="http://17.249.105.246:443" target="_blank">17.249.105.246:443</a>
-> <a href="http://192.168.1.180:61378" target="_blank">192.168.1.180:61378</a><br>
04/10/2018-13:05:53.632130 [**] [1:2210007:2] ITS Safe STREAM
3way handshake SYNACK with wrong ack [**] [Classification: Generic
Protocol Command Decode] [Priority: 3] {TCP} <a href="http://17.249.105.246:443" target="_blank">17.249.105.246:443</a>
-> <a href="http://192.168.1.180:61378" target="_blank">192.168.1.180:61378</a></p>
<p><br>
</p>
<p>This is the error displayed in safari when I am running in-line
IPS mode:</p>
<p><img src="cid:162b178189e9ad3663f1" alt="" style="width:667px;max-width:100%"></p>
<p>Any ideas or suggestions?<br>
</p>
<div class="m_4103490143580355283moz-signature">-- <br>
--<br>
<br>
Albert E. Whale, CEH CHS CISA CISSP<br>
Phone: 412-515-3010 | Email: <a class="m_4103490143580355283moz-txt-link-abbreviated" href="mailto:Albert.Whale@IT-Security-inc.com" target="_blank">Albert.Whale@IT-Security-inc.com</a><br>
Cell: 412-889-6870<br>
<br>
</div>
</div>
_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
<br>
Conference: <a href="https://suricon.net" rel="noreferrer" target="_blank">https://suricon.net</a><br>
Trainings: <a href="https://suricata-ids.org/training/" rel="noreferrer" target="_blank">https://suricata-ids.org/training/</a></blockquote></div></div>