<div dir="ltr">Attached is our configuration.<br><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">---------- Forwarded message ---------<br>От: <strong class="gmail_sendername" dir="auto">Владислав Дубов</strong> <span dir="auto"><<a href="mailto:vladislav.dubov@gmail.com">vladislav.dubov@gmail.com</a>></span><br>Date: чт, 16 янв. 2020 г. в 00:17<br>Subject: Fwd: [Oisf-users] Fwd: Unblock whatsapp<br>To: <<a href="mailto:Oisf-users@lists.openinfosecfoundation.org">Oisf-users@lists.openinfosecfoundation.org</a>><br></div><br><br><div dir="ltr">Thank you. How can I view configuration? I am totally new to this.<br><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">---------- Forwarded message ---------<br>От: <strong class="gmail_sendername" dir="auto">Michał Purzyński</strong> <span dir="auto"><<a href="mailto:michalpurzynski1@gmail.com" target="_blank">michalpurzynski1@gmail.com</a>></span><br>Date: ср, 15 янв. 2020 г. в 23:41<br>Subject: Re: [Oisf-users] Fwd: Unblock whatsapp<br>To: Владислав Дубов <<a href="mailto:vladislav.dubov@gmail.com" target="_blank">vladislav.dubov@gmail.com</a>><br>Cc: Open Information Security Foundation <<a href="mailto:Oisf-users@lists.openinfosecfoundation.org" target="_blank">Oisf-users@lists.openinfosecfoundation.org</a>><br></div><br><br><div dir="ltr">If Suricata is blocking anything, there will be an alert or a few. Can you share you configuration and events that are generated? The eve-log, ideally.<br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Jan 15, 2020 at 12:22 PM Владислав Дубов <<a href="mailto:vladislav.dubov@gmail.com" target="_blank">vladislav.dubov@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">My notebook's local IP address was 192.168.33.217. I use the Whatsapp web version via Chrome.<br><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">---------- Forwarded message ---------<br>От: <strong class="gmail_sendername" dir="auto">Владислав Дубов</strong> <span dir="auto"><<a href="mailto:vladislav.dubov@gmail.com" target="_blank">vladislav.dubov@gmail.com</a>></span><br>Date: ср, 15 янв. 2020 г. в 23:15<br>Subject: Fwd: [Oisf-users] Unblock whatsapp<br>To: <<a href="mailto:oisf-users@lists.openinfosecfoundation.org" target="_blank">oisf-users@lists.openinfosecfoundation.org</a>><br></div><br><br><div dir="ltr">Thank you.
195.68.154.66 is our pfSense router, which hosts Suricata and connects our LAN to the outside WAN. <div><br></div><div>When the 'messy' things start, I cannot even open the Whatsapp home page in my browser. I tried that yesterday because I initially thought that the problem was to do with the Whatsapp web version.</div><div><br></div><div>I am going to send you today's log tomorrow morning after I get it from my sysadmin. I will also provide my machine's local IP address.</div><div><br></div><div>Thanks again,</div><div><br></div><div>Vladislav Dubov</div><div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">---------- Forwarded message ---------<br>От: <strong class="gmail_sendername" dir="auto">James Moe</strong> <span dir="auto"><<a href="mailto:jimoe@sohnen-moe.com" target="_blank">jimoe@sohnen-moe.com</a>></span><br>Date: ср, 15 янв. 2020 г. в 22:42<br>Subject: Re: [Oisf-users] Unblock whatsapp<br>To: <a href="mailto:oisf-users@lists.openinfosecfoundation.org" target="_blank">oisf-users@lists.openinfosecfoundation.org</a> <<a href="mailto:oisf-users@lists.openinfosecfoundation.org" target="_blank">oisf-users@lists.openinfosecfoundation.org</a>><br></div><br><br>On 2020-01-15 5:23 AM, Владислав Дубов wrote:<br>
<br>
I am not convinced that Suricata is the cause here, rather a symptom. There<br>
may be resource constraints that are aggravated by Suricata running in the host.<br>
The log shows something messy starting at 10:56:07 from IP 195.68.154.66,<br>
about when your Whatsapp failure starts. That IP does not resolve to anything here.<br>
<br>
> Today this behavior occurred again. Whatsapp stopped working at around 11AM+3:00.<br>
><br>
Here, Whatsapp shows IP addresses 169.55.60.148 and 108.168.254.65. Neither of<br>
those appear in your log, not even the first octet.<br>
What is the IP for Whatsapp at your location?<br>
<br>
The log shows only alerts; there are no dropped packets.<br>
<br>
Try this: disable the Suricata rules. In disable.conf add:<br>
# Disable all SURICATA rules<br>
re:SURICATA<br>
<br>
and restart Suricata.<br>
<br>
> Yesterday, when we stopped Suricata, Whatsapp restored<br>
> connection after some time.<br>
><br>
If the alert log was not rotated, suricata was stopped at 00:38:49?<br>
And when did Whatsapp reconnect?<br>
<br>
Execute this command at the router, post result:<br>
$ sudo iptables -nvL INPUT -w 3 | head -7<br>
<br>
<br>
-- <br>
James Moe<br>
moe dot james at sohnen-moe dot com<br>
520.743.3936<br>
Think.<br>
<br>
_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
<br>
Conference: <a href="https://suricon.net" rel="noreferrer" target="_blank">https://suricon.net</a><br>
Trainings: <a href="https://suricata-ids.org/training/" rel="noreferrer" target="_blank">https://suricata-ids.org/training/</a></div></div></div>
</div></div>
_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
<br>
Conference: <a href="https://suricon.net" rel="noreferrer" target="_blank">https://suricon.net</a><br>
Trainings: <a href="https://suricata-ids.org/training/" rel="noreferrer" target="_blank">https://suricata-ids.org/training/</a></blockquote></div>
</div></div>
</div></div>