<div dir="ltr">Thank you.
195.68.154.66 is our pfSense router, which hosts Suricata and connects our LAN to the outside WAN. <div><br></div><div>When the 'messy' things start, I cannot even open the Whatsapp home page in my browser. I tried that yesterday because I initially thought that the problem was to do with the Whatsapp web version.</div><div><br></div><div>I am going to send you today's log tomorrow morning after I get it from my sysadmin. I will also provide my machine's local IP address.</div><div><br></div><div>Thanks again,</div><div><br></div><div>Vladislav Dubov</div><div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">---------- Forwarded message ---------<br>От: <strong class="gmail_sendername" dir="auto">James Moe</strong> <span dir="auto"><<a href="mailto:jimoe@sohnen-moe.com">jimoe@sohnen-moe.com</a>></span><br>Date: ср, 15 янв. 2020 г. в 22:42<br>Subject: Re: [Oisf-users] Unblock whatsapp<br>To: <a href="mailto:oisf-users@lists.openinfosecfoundation.org">oisf-users@lists.openinfosecfoundation.org</a> <<a href="mailto:oisf-users@lists.openinfosecfoundation.org">oisf-users@lists.openinfosecfoundation.org</a>><br></div><br><br>On 2020-01-15 5:23 AM, Владислав Дубов wrote:<br>
<br>
I am not convinced that Suricata is the cause here, rather a symptom. There<br>
may be resource constraints that are aggravated by Suricata running in the host.<br>
The log shows something messy starting at 10:56:07 from IP 195.68.154.66,<br>
about when your Whatsapp failure starts. That IP does not resolve to anything here.<br>
<br>
> Today this behavior occurred again. Whatsapp stopped working at around 11AM+3:00.<br>
><br>
Here, Whatsapp shows IP addresses 169.55.60.148 and 108.168.254.65. Neither of<br>
those appear in your log, not even the first octet.<br>
What is the IP for Whatsapp at your location?<br>
<br>
The log shows only alerts; there are no dropped packets.<br>
<br>
Try this: disable the Suricata rules. In disable.conf add:<br>
# Disable all SURICATA rules<br>
re:SURICATA<br>
<br>
and restart Suricata.<br>
<br>
> Yesterday, when we stopped Suricata, Whatsapp restored<br>
> connection after some time.<br>
><br>
If the alert log was not rotated, suricata was stopped at 00:38:49?<br>
And when did Whatsapp reconnect?<br>
<br>
Execute this command at the router, post result:<br>
$ sudo iptables -nvL INPUT -w 3 | head -7<br>
<br>
<br>
-- <br>
James Moe<br>
moe dot james at sohnen-moe dot com<br>
520.743.3936<br>
Think.<br>
<br>
_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
<br>
Conference: <a href="https://suricon.net" rel="noreferrer" target="_blank">https://suricon.net</a><br>
Trainings: <a href="https://suricata-ids.org/training/" rel="noreferrer" target="_blank">https://suricata-ids.org/training/</a></div></div></div>