<p dir="ltr">Apologies Albert. I did not see that you had already posted your iptable configs.</p>
<p dir="ltr">I am deploying suricata 4.0.4 tomorrow in nfq mode. Will let you know if I encounter the same problem.</p>
<p dir="ltr">David Sussens.</p>
<div class="gmail_quote">On 13 Apr 2018 08:10, "David Sussens" <<a href="mailto:dsussens@gmail.com">dsussens@gmail.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div><div>Albert,<br><br></div>Can you please share your iptables/nftables rule base configs with us.  That might help to determine what the problem is here.<br><br></div>David Sussens.<br></div> <br></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Apr 10, 2018 at 10:18 PM, Albert Whale <span dir="ltr"><<a href="mailto:Albert.Whale@it-security-inc.com" target="_blank">Albert.Whale@it-security-inc.<wbr>com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
  

    
  
  <div bgcolor="#FFFFFF" text="#000000">
    <p>Can someone please tell me why the connecting to HTTPS websites
      are problematic when using the nfqueue run mode?  This doesn't
      happen when I am using af-packet mode.</p>
    <p>In fact in nfqueue mode, I also get the following alerts from
      fast.log:</p>
    <p>04/10/2018-13:05:49.504292  [**] [1:2210007:2] ITS Safe STREAM
      3way handshake SYNACK with wrong ack [**] [Classification: Generic
      Protocol Command Decode] [Priority: 3] {TCP} <a href="http://17.249.105.246:443" target="_blank">17.249.105.246:443</a>
      -> <a href="http://192.168.1.180:61378" target="_blank">192.168.1.180:61378</a><br>
      04/10/2018-13:05:50.534691  [**] [1:2210007:2] ITS Safe STREAM
      3way handshake SYNACK with wrong ack [**] [Classification: Generic
      Protocol Command Decode] [Priority: 3] {TCP} <a href="http://17.249.105.246:443" target="_blank">17.249.105.246:443</a>
      -> <a href="http://192.168.1.180:61378" target="_blank">192.168.1.180:61378</a><br>
      04/10/2018-13:05:51.570889  [**] [1:2210007:2] ITS Safe STREAM
      3way handshake SYNACK with wrong ack [**] [Classification: Generic
      Protocol Command Decode] [Priority: 3] {TCP} <a href="http://17.249.105.246:443" target="_blank">17.249.105.246:443</a>
      -> <a href="http://192.168.1.180:61378" target="_blank">192.168.1.180:61378</a><br>
      04/10/2018-13:05:53.632130  [**] [1:2210007:2] ITS Safe STREAM
      3way handshake SYNACK with wrong ack [**] [Classification: Generic
      Protocol Command Decode] [Priority: 3] {TCP} <a href="http://17.249.105.246:443" target="_blank">17.249.105.246:443</a>
      -> <a href="http://192.168.1.180:61378" target="_blank">192.168.1.180:61378</a></p>
    <p><br>
    </p>
    <p>This is the error displayed in safari when I am running in-line
      IPS mode:</p>
    <p><img src="cid:part1.0A2A2152.055A361C@IT-Security-inc.com" alt=""></p>
    <p>Any ideas or suggestions?<span class="m_329117918453665123HOEnZb"><font color="#888888"><br>
    </font></span></p><span class="m_329117918453665123HOEnZb"><font color="#888888">
    <div class="m_329117918453665123m_-2277878293308104038moz-signature">-- <br>
      --<br>
      <br>
      Albert E. Whale, CEH CHS CISA CISSP<br>
      Phone: 412-515-3010 | Email: <a class="m_329117918453665123m_-2277878293308104038moz-txt-link-abbreviated" href="mailto:Albert.Whale@IT-Security-inc.com" target="_blank">Albert.Whale@IT-Security-inc.c<wbr>om</a><br>
      Cell: 412-889-6870<br>
      <br>
    </div>
  </font></span></div>

<br>______________________________<wbr>_________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundati<wbr>on.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/suppor<wbr>t/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfound<wbr>ation.org/mailman/listinfo/<wbr>oisf-users</a><br>
<br>
Conference: <a href="https://suricon.net" rel="noreferrer" target="_blank">https://suricon.net</a><br>
Trainings: <a href="https://suricata-ids.org/training/" rel="noreferrer" target="_blank">https://suricata-ids.org/train<wbr>ing/</a><br></blockquote></div><br></div>
</blockquote></div>