<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div dir="ltr">Are you saying you can use WhatsApp and other pages?</div><div dir="ltr"><br></div><div dir="ltr">My theory says those rules starting with Suricata, were blocking SSL. They are supposed to identify weirdness, anomalies in protocols, that might signify there’s an attack not detected by any other rule.</div><div dir="ltr"><br></div><div dir="ltr">This assumption is sometimes broken by less than perfect protocol implementation in various software.</div><div dir="ltr"><br></div><div dir="ltr">I’d say, be careful when using those.</div><div dir="ltr"><br><blockquote type="cite">On Jan 17, 2020, at 2:34 AM, Владислав Дубов <vladislav.dubov@gmail.com> wrote:<br><br></blockquote></div><blockquote type="cite"><div dir="ltr"><div dir="ltr">Thank you. The router box has the following configuration<div><br></div><div>Intel(R) Xeon(TM) CPU 2.80GHz<br>2 CPUs: 1 package(s) x 2 hardware threads<br>AES-NI CPU Crypto: No<br></div><div>Memory 1997 MiB</div><div><br></div><div>Is it adequate for our needs?</div><div><br></div><div>We have now switched SURICATA altogether. We are not experiencing any network problems at all.</div><div><br></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">пт, 17 янв. 2020 г. в 00:18, James Moe <<a href="mailto:jimoe@sohnen-moe.com">jimoe@sohnen-moe.com</a>>:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On 2020-01-15 1:15 PM, Владислав Дубов wrote:<br>
<br>
> Thank you. 195.68.154.66 is our pfSense router, which hosts Suricata and<br>
> connects our LAN to the outside WAN. <br>
> <br>
Ah. That's helpful.<br>
I also wanted the IP address for <a href="http://whatsapp.com" rel="noreferrer" target="_blank">whatsapp.com</a> for your locale.<br>
<br>
Looking at the log, at 10:56:07 a lot of DNS requests are listed, followed by<br>
some email, then a large amount of traffic between 94.124.195.19 and<br>
195.68.154.75. It continues throughout the day.<br>
<br>
> When the 'messy' things start, I cannot even open the Whatsapp home page in my<br>
> browser.<br>
><br>
How much memory does the router have?<br>
How much free RAM is available when Suricata is running? If the router is<br>
swapping to disk, that slows processing to teletype speeds.<br>
What is the CPU usage when Suricata is running? Suricata is quite demanding of<br>
CPU resources.<br>
<br>
Please try disabling the SURICATA rules. In disable.conf add:<br>
# Disable all SURICATA rules<br>
re:SURICATA<br>
<br>
-- <br>
James Moe<br>
moe dot james at sohnen-moe dot com<br>
520.743.3936<br>
Think.<br>
<br>
_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
<br>
Conference: <a href="https://suricon.net" rel="noreferrer" target="_blank">https://suricon.net</a><br>
Trainings: <a href="https://suricata-ids.org/training/" rel="noreferrer" target="_blank">https://suricata-ids.org/training/</a></blockquote></div>
<span>_______________________________________________</span><br><span>Suricata IDS Users mailing list: oisf-users@openinfosecfoundation.org</span><br><span>Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/</span><br><span>List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</span><br><span></span><br><span>Conference: https://suricon.net</span><br><span>Trainings: https://suricata-ids.org/training/</span></div></blockquote></body></html>