<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body text="#000066" bgcolor="#FFFFFF">
<font face="Calibri">Hi All,<br>
I am running suricata 4.1.4 on ubuntu 16.04 in inline mode. My
box also acts as IPSec end point for users accessing internet. My
box works as a access gateway in a sense that User's ipsec tunnel
will terminate on the box and then traffic will get forwarded to
internet after Source NATting. Suricata is the first module in the
system which receives all incoming packets from both LAN and WAN
interfaces.<br>
I want to ...<br>
1. protect my box from any DoS/DDoS, port scanning kind of
attacks from WAN side<br>
2. protect Users from downloading any files that may have
trojans etc<br>
<br>
I am facing two problems ...<br>
1. for the User traffic, entering from LAN side, suricata
will see ipsec encrypted payloads which it cannot inspect but
return reply packets on WAN will be plaintext. Suricata won't be
able to match the same traffic to same flow; will it?<br>
<br>
2. Even if I pass the User traffic entering the box after
ipsec decryption to Suricata on LAN side; the traffic will be
SNATed on WAN before going out to internet. So user generated
traffic is say from A to C, after SNAT it will become say B to C.
Suricata has mapped a flow from A to C as SNAT happened at out
time on WAN. Now the return reply traffic is C to B on WAN and
suricata sees the packet as C to B only. Suricata will add this
as new flow from C to B as it cannot match it's original flow of A
to C. Suricata won't be able map this as a bi-directional flow?
Will it affect suricata's inspection capability?<br>
<br>
Should I enable "async-oneside" setting in yaml for these
cases? Will it help?<br>
<br>
</font>
<div class="moz-signature">Thanks & Regards,<br>
Vishal V. Kotalwar<br>
<pre class="moz-signature" cols="72">
</pre>
</div>
</body>
</html>