[Oisf-users] [Suricata - Bug #812] SonicWALL Adventail SSL VPN Issue in Suricata af-packet IPS Mode

Leonard Jacobs ljacobs at netsecuris.com
Tue Jun 11 12:13:58 UTC 2013 

I also read that some network cards have features named Large Receive Offload (lro) and Generic Receieve Offload (gro)and with these features enabled, the network card performs packet reassembly before they’re processed by the kernel.  Could this be making the packets too big when they hit af-packet? Should I disable lro and gro in the interfaces?

I think there are other settings in some interfaces that deal with packet fragmentation.  Should I look to disable those too?

Thanks.

-----Original Message-----
From: no-reply at openinfosecfoundation.org [mailto:no-reply at openinfosecfoundation.org] 
Sent: Tuesday, June 11, 2013 6:13 AM
To: ljacobs at netsecuris.com; victor at inliniac.net; hendomatic at gmail.com; oisf-internal-dev at openinfosecfoundation.org; iglesiasg at gmail.com; msolum59 at yahoo.com; petermanev at gmail.com
Subject: [Suricata - Bug #812] SonicWALL Adventail SSL VPN Issue in Suricata af-packet IPS Mode


Issue #812 has been updated by Eric Leblond.


Hello, can you try to set "defrag: no" in af-packet interfaces configuration ? Kernel defragmentation could result in packet bigger than MTU being receive.

----------------------------------------
Bug #812: SonicWALL Adventail SSL VPN Issue in Suricata af-packet IPS Mode
https://redmine.openinfosecfoundation.org/issues/812#change-3019

* Author: Leonard Jacobs
* Status: New
* Priority: Normal
* Assignee: 
* Category: 
* Target version: 
----------------------------------------
When enabling Suricata in af-packet IPS, The SSL VPN communications comes to a halt.  SonicWALL might be doing SOCKS over HTTPS for their SSL VPN communications.

MTUs are set to 1500 on af-packet peered Ethernet interfaces.  

The SSL VPN works fine in IDS mode.


-- 
You have received this notification because you have either subscribed to it, or are involved in it.
To change your notification preferences, please click here: https://redmine.openinfosecfoundation.org/my/account

More information about the Oisf-users mailing list