[Oisf-users] [Suricata - Bug #812] SonicWALL Adventail SSL VPN Issue in Suricata af-packet IPS Mode

Tue Jun 11 12:31:22 UTC 2013

Hi Leonard

Take look at this article,
http://securityonion.blogspot.com/2011/10/when-is-full-packet-capture-not-full.html.

Best practice would be to turn off all offloading.

Regards,
Lysemose
On Jun 11, 2013 2:16 PM, "Leonard Jacobs" <ljacobs at netsecuris.com> wrote:

> I also read that some network cards have features named Large Receive
> Offload (lro) and Generic Receieve Offload (gro)and with these features
> enabled, the network card performs packet reassembly before they’re
> processed by the kernel.  Could this be making the packets too big when
> they hit af-packet? Should I disable lro and gro in the interfaces?
>
> I think there are other settings in some interfaces that deal with packet
> fragmentation.  Should I look to disable those too?
>
> Thanks.
>
> -----Original Message-----
> From: no-reply at openinfosecfoundation.org [mailto:
> no-reply at openinfosecfoundation.org]
> Sent: Tuesday, June 11, 2013 6:13 AM
> To: ljacobs at netsecuris.com; victor at inliniac.net; hendomatic at gmail.com;
> oisf-internal-dev at openinfosecfoundation.org; iglesiasg at gmail.com;
> msolum59 at yahoo.com; petermanev at gmail.com
> Subject: [Suricata - Bug #812] SonicWALL Adventail SSL VPN Issue in
> Suricata af-packet IPS Mode
>
>
> Issue #812 has been updated by Eric Leblond.
>
>
> Hello, can you try to set "defrag: no" in af-packet interfaces
> configuration ? Kernel defragmentation could result in packet bigger than
> MTU being receive.
>
> ----------------------------------------
> Bug #812: SonicWALL Adventail SSL VPN Issue in Suricata af-packet IPS Mode
> https://redmine.openinfosecfoundation.org/issues/812#change-3019
>
> * Author: Leonard Jacobs
> * Status: New
> * Priority: Normal
> * Assignee:
> * Category:
> * Target version:
> ----------------------------------------
> When enabling Suricata in af-packet IPS, The SSL VPN communications comes
> to a halt.  SonicWALL might be doing SOCKS over HTTPS for their SSL VPN
> communications.
>
> MTUs are set to 1500 on af-packet peered Ethernet interfaces.
>
> The SSL VPN works fine in IDS mode.
>
>
> --
> You have received this notification because you have either subscribed to
> it, or are involved in it.
> To change your notification preferences, please click here:
> https://redmine.openinfosecfoundation.org/my/account
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130611/99514272/attachment-0002.html>