<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>OK, after validating the Interfaces and the bridge, I still have
an issue with HTTPs connections andf Apple (perhaps other as well)
products. One thing that I notice is the following:</p>
<p>08/28/2018-07:31:46.969628 [**] [1:2260002:1] ITS Safe Applayer
Detect protocol only one direction [**] [Classification: Generic
Protocol Command Decode] [Priority: 3] {TCP} 192.168.1.235:55360
-> 192.168.1.187:50037<br>
</p>
<p>However, this does not indicate a problem, and there were no
Drops during the connection test.</p>
<p>There are no dropped packets either.</p>
<p>Stats.log</p>
<p><tt>Date: 8/28/2018 -- 08:12:19 (uptime: 0d, 00h 42m 37s)</tt><tt><br>
</tt><tt>------------------------------------------------------------------------------------</tt><tt><br>
</tt><tt>Counter | TM
Name | Value</tt><tt><br>
</tt><tt>------------------------------------------------------------------------------------</tt><tt><br>
</tt><tt>decoder.pkts |
Total | 20529</tt><tt><br>
</tt><tt>decoder.bytes |
Total | 5618109</tt><tt><br>
</tt><tt>decoder.ipv4 |
Total | 20529</tt><tt><br>
</tt><tt>decoder.ipv6 |
Total | 15</tt><tt><br>
</tt><tt>decoder.tcp |
Total | 12418</tt><tt><br>
</tt><tt>decoder.udp |
Total | 7848</tt><tt><br>
</tt><tt>decoder.icmpv4 |
Total | 171</tt><tt><br>
</tt><tt>decoder.teredo |
Total | 15</tt><tt><br>
</tt><tt>decoder.avg_pkt_size |
Total | 273</tt><tt><br>
</tt><tt>decoder.max_pkt_size |
Total | 1500</tt><tt><br>
</tt><tt>flow.tcp |
Total | 624</tt><tt><br>
</tt><tt>flow.udp |
Total | 1793</tt><tt><br>
</tt><tt>tcp.sessions |
Total | 562</tt><tt><br>
</tt><tt>tcp.syn |
Total | 658</tt><tt><br>
</tt><tt>tcp.synack |
Total | 494</tt><tt><br>
</tt><tt>tcp.rst |
Total | 339</tt><tt><br>
</tt><tt>tcp.overlap |
Total | 1555</tt><tt><br>
</tt><tt>detect.alert |
Total | 8</tt><tt><br>
</tt><tt>app_layer.flow.http |
Total | 106</tt><tt><br>
</tt><tt>app_layer.tx.http |
Total | 106</tt><tt><br>
</tt><tt>app_layer.flow.ftp |
Total | 1</tt><tt><br>
</tt><tt>app_layer.flow.tls |
Total | 89</tt><tt><br>
</tt><tt>app_layer.flow.smb |
Total | 1</tt><tt><br>
</tt><tt>app_layer.flow.failed_tcp |
Total | 3</tt><tt><br>
</tt><tt>app_layer.flow.dns_udp |
Total | 1363</tt><tt><br>
</tt><tt>app_layer.tx.dns_udp |
Total | 1472</tt><tt><br>
</tt><tt>app_layer.flow.failed_udp |
Total | 430</tt><tt><br>
</tt><tt>ips.accepted |
Total | 18777</tt><tt><br>
</tt><tt>ips.blocked |
Total | 2077</tt><tt><br>
</tt><tt>flow_mgr.closed_pruned |
Total | 338</tt><tt><br>
</tt><tt>flow_mgr.new_pruned |
Total | 508</tt><tt><br>
</tt><tt>flow_mgr.est_pruned |
Total | 1571</tt><tt><br>
</tt><tt>flow.spare |
Total | 10000</tt><tt><br>
</tt><tt>flow_mgr.rows_checked |
Total | 65536</tt><tt><br>
</tt><tt>flow_mgr.rows_skipped |
Total | 65536</tt><tt><br>
</tt><tt>tcp.memuse |
Total | 2293760</tt><tt><br>
</tt><tt>tcp.reassembly_memuse |
Total | 327680</tt><tt><br>
</tt><tt>flow.memuse |
Total | 7074304</tt><br>
</p>
<p>Does any of this indicate a problem? If not, what are my next
steps? A Wireshark trace of the activity for IPS and unmonitored
Mode?<br>
</p>
<br>
<div class="moz-cite-prefix">On 8/27/18 8:35 PM, Albert Whale wrote:<br>
</div>
<blockquote type="cite"
cite="mid:F8FD0EA7-33BC-4FE1-B9EA-5357EB3457CF@IT-Security-inc.com">
<pre wrap="">Hold off on this guys, I had to replace an Ethernet port on the bridge, let me get a fresh set of eyes on this in the morning.
Thank you.
Sent from my iPad
</pre>
<blockquote type="cite">
<pre wrap="">On Aug 27, 2018, at 8:03 PM, Albert Whale <a class="moz-txt-link-rfc2396E" href="mailto:Albert.Whale@IT-Security-inc.com"><Albert.Whale@IT-Security-inc.com></a> wrote:
Hi I am running Suricata 4.0.5 in the IPS mode (NFQUEUE), and I have issues connecting to https websites through the IPS.
I have run the same process with IDS (AF-QUEUE), and have not had any issues.
I am perplexed as to what is creating this issue, because the issue does not exist when I use a Windows machine.
All of the issues I am experiencing only occur with the Mac IOS or the iPhone devices.
Has anyone experienced this issue before?
--
--
Albert E. Whale, CEH CHS CISA CISSP
Email: <a class="moz-txt-link-abbreviated" href="mailto:Albert.Whale@IT-Security-inc.com">Albert.Whale@IT-Security-inc.com</a>
Cell: 412-889-6870
_______________________________________________
Suricata IDS Users mailing list: <a class="moz-txt-link-abbreviated" href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a>
Site: <a class="moz-txt-link-freetext" href="http://suricata-ids.org">http://suricata-ids.org</a> | Support: <a class="moz-txt-link-freetext" href="http://suricata-ids.org/support/">http://suricata-ids.org/support/</a>
List: <a class="moz-txt-link-freetext" href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a>
Conference: <a class="moz-txt-link-freetext" href="https://suricon.net">https://suricon.net</a>
Trainings: <a class="moz-txt-link-freetext" href="https://suricata-ids.org/training/">https://suricata-ids.org/training/</a>
</pre>
</blockquote>
<pre wrap="">
_______________________________________________
Suricata IDS Users mailing list: <a class="moz-txt-link-abbreviated" href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a>
Site: <a class="moz-txt-link-freetext" href="http://suricata-ids.org">http://suricata-ids.org</a> | Support: <a class="moz-txt-link-freetext" href="http://suricata-ids.org/support/">http://suricata-ids.org/support/</a>
List: <a class="moz-txt-link-freetext" href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a>
Conference: <a class="moz-txt-link-freetext" href="https://suricon.net">https://suricon.net</a>
Trainings: <a class="moz-txt-link-freetext" href="https://suricata-ids.org/training/">https://suricata-ids.org/training/</a>
</pre>
</blockquote>
<br>
<div class="moz-signature">-- <br>
--<br>
<br>
Albert E. Whale, CEH CHS CISA CISSP<br>
<b>President - Chief Security Officer</b><br>
<a href="http://www.IT-Security-inc.com">IT Security, Inc.</a> - A
Service Disabled Veteran Owned Company - (<b>SDVOSB</b>)<br>
<b>HUBZone Certified</b><br>
<a href="https://www.linkedin.com/in/albertwhale">LinkedIn</a>
Profile<br>
<br>
<br>
Phone: 412-515-3010 | Email: <a class="moz-txt-link-abbreviated" href="mailto:Albert.Whale@IT-Security-inc.com">Albert.Whale@IT-Security-inc.com</a><br>
Cell: 412-889-6870<br>
<br>
</div>
</body>
</html>