
<html>

  <head>

    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">

  </head>

  <body text="#000000" bgcolor="#FFFFFF">

    <p>I just rechecked the nfqueue (cat

      /proc/net/netfilter/nfnetlink_queue) - no dropped packets.  But

      there is also no file called /proc/net/netfilter/nf_queue</p>

    <p>Is this supposed to be there?<br>

    </p>

    <div class="moz-signature">

      --<br>

      <br>

      Albert E. Whale, CEH CHS CISA CISSP<br>

      <b>President - Chief Security Officer</b><br>

      <a href="http://www.IT-Security-inc.com">IT Security, Inc.</a> - A

      Service Disabled Veteran Owned Company - (<b>SDVOSB</b>)<br>

      <b>HUBZone Certified</b><br>

      <a href="https://www.linkedin.com/in/albertwhale">LinkedIn</a>

      Profile<br>

      <br>

      <br>

      Phone: 412-515-3010 | Email: <a class="moz-txt-link-abbreviated" href="mailto:Albert.Whale@IT-Security-inc.com">Albert.Whale@IT-Security-inc.com</a><br>

      Cell: 412-889-6870<br>

      <br>

    </div>

    <div class="moz-cite-prefix">On 4/10/18 5:34 PM, Chris Boley wrote:<br>

    </div>

    <blockquote type="cite"

cite="mid:CAPJDwRiFX-pwnySdhRLv2ooWvpqbSu9WABZ4DnHE6o02t524cw@mail.gmail.com">

      <div>

        <div dir="auto">I’m not really sure if by posting this that I’m

          adding to the confusion or helping steer you Down the correct

          path? Anyway this article seems sort of relevant but I might

          be sending you on a goose chase. Proceed with caution ;)</div>

        <div dir="auto"><br>

        </div>

        <div dir="auto">

          <div><a

href="https://blog.inliniac.net/2013/04/19/suricata-handling-of-multiple-different-synacks/"

              moz-do-not-send="true">https://blog.inliniac.net/2013/04/19/suricata-handling-of-multiple-different-synacks/</a></div>

          <br>

        </div>

        <br>

        <div class="gmail_quote">

          <div>On Tue, Apr 10, 2018 at 4:18 PM Albert Whale <<a

              href="mailto:Albert.Whale@it-security-inc.com"

              moz-do-not-send="true">Albert.Whale@it-security-inc.com</a>>

            wrote:<br>

          </div>

          <blockquote class="gmail_quote" style="margin:0 0 0

            .8ex;border-left:1px #ccc solid;padding-left:1ex">

            <div bgcolor="#FFFFFF" text="#000000">

              <p>Can someone please tell me why the connecting to HTTPS

                websites are problematic when using the nfqueue run

                mode?  This doesn't happen when I am using af-packet

                mode.</p>

              <p>In fact in nfqueue mode, I also get the following

                alerts from fast.log:</p>

              <p>04/10/2018-13:05:49.504292  [**] [1:2210007:2] ITS Safe

                STREAM 3way handshake SYNACK with wrong ack [**]

                [Classification: Generic Protocol Command Decode]

                [Priority: 3] {TCP} <a href="http://17.249.105.246:443"

                  target="_blank" moz-do-not-send="true">17.249.105.246:443</a>

                -> <a href="http://192.168.1.180:61378"

                  target="_blank" moz-do-not-send="true">192.168.1.180:61378</a><br>

                04/10/2018-13:05:50.534691  [**] [1:2210007:2] ITS Safe

                STREAM 3way handshake SYNACK with wrong ack [**]

                [Classification: Generic Protocol Command Decode]

                [Priority: 3] {TCP} <a href="http://17.249.105.246:443"

                  target="_blank" moz-do-not-send="true">17.249.105.246:443</a>

                -> <a href="http://192.168.1.180:61378"

                  target="_blank" moz-do-not-send="true">192.168.1.180:61378</a><br>

                04/10/2018-13:05:51.570889  [**] [1:2210007:2] ITS Safe

                STREAM 3way handshake SYNACK with wrong ack [**]

                [Classification: Generic Protocol Command Decode]

                [Priority: 3] {TCP} <a href="http://17.249.105.246:443"

                  target="_blank" moz-do-not-send="true">17.249.105.246:443</a>

                -> <a href="http://192.168.1.180:61378"

                  target="_blank" moz-do-not-send="true">192.168.1.180:61378</a><br>

                04/10/2018-13:05:53.632130  [**] [1:2210007:2] ITS Safe

                STREAM 3way handshake SYNACK with wrong ack [**]

                [Classification: Generic Protocol Command Decode]

                [Priority: 3] {TCP} <a href="http://17.249.105.246:443"

                  target="_blank" moz-do-not-send="true">17.249.105.246:443</a>

                -> <a href="http://192.168.1.180:61378"

                  target="_blank" moz-do-not-send="true">192.168.1.180:61378</a></p>

              <p><br>

              </p>

              <p>This is the error displayed in safari when I am running

                in-line IPS mode:</p>

              <p><img

                  src="cid:part13.85982A79.17F4BFB9@IT-Security-inc.com"

                  alt="" style="width:667px;max-width:100%" class=""></p>

              <p>Any ideas or suggestions?<br>

              </p>

              <div class="m_4103490143580355283moz-signature">-- <br>

                --<br>

                <br>

                Albert E. Whale, CEH CHS CISA CISSP<br>

                Phone: 412-515-3010 | Email: <a

                  class="m_4103490143580355283moz-txt-link-abbreviated"

                  href="mailto:Albert.Whale@IT-Security-inc.com"

                  target="_blank" moz-do-not-send="true">Albert.Whale@IT-Security-inc.com</a><br>

                Cell: 412-889-6870<br>

                <br>

              </div>

            </div>

            _______________________________________________<br>

            Suricata IDS Users mailing list: <a

              href="mailto:oisf-users@openinfosecfoundation.org"

              target="_blank" moz-do-not-send="true">oisf-users@openinfosecfoundation.org</a><br>

            Site: <a href="http://suricata-ids.org" rel="noreferrer"

              target="_blank" moz-do-not-send="true">http://suricata-ids.org</a>

            | Support: <a href="http://suricata-ids.org/support/"

              rel="noreferrer" target="_blank" moz-do-not-send="true">http://suricata-ids.org/support/</a><br>

            List: <a

href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users"

              rel="noreferrer" target="_blank" moz-do-not-send="true">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>

            <br>

            Conference: <a href="https://suricon.net" rel="noreferrer"

              target="_blank" moz-do-not-send="true">https://suricon.net</a><br>

            Trainings: <a href="https://suricata-ids.org/training/"

              rel="noreferrer" target="_blank" moz-do-not-send="true">https://suricata-ids.org/training/</a></blockquote>

        </div>

      </div>

      <br>

      <fieldset class="mimeAttachmentHeader"></fieldset>

      <br>

      <pre wrap="">_______________________________________________

Suricata IDS Users mailing list: <a class="moz-txt-link-abbreviated" href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a>

Site: <a class="moz-txt-link-freetext" href="http://suricata-ids.org">http://suricata-ids.org</a> | Support: <a class="moz-txt-link-freetext" href="http://suricata-ids.org/support/">http://suricata-ids.org/support/</a>

List: <a class="moz-txt-link-freetext" href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a>


Conference: <a class="moz-txt-link-freetext" href="https://suricon.net">https://suricon.net</a>

Trainings: <a class="moz-txt-link-freetext" href="https://suricata-ids.org/training/">https://suricata-ids.org/training/</a></pre>

    </blockquote>

    <br>

  </body>

</html>