[Oisf-users] Trouble with Suricata and SSL VPN

Leonard Jacobs ljacobs at netsecuris.com
Mon May 6 12:43:56 UTC 2013


It did not seem to matter what the TCP flow-timeouts were set to.  We tried several settings including the same timeouts as emergency.  I also increased the flow memory to 128 mb from the default but that did not make a difference either.

However, we did see error messages pop up when trying the SSL VPN.  All other traffic works fine in IPS mode. And every traffic including SSL VPN works fine in IDS mode.

SC_ERR_INVALID_ACTION(142)
Sending packet failed on Socket 8: Message too long
Unable to release packet data

We saw these error attributable to all sockets. As soon as we tried SSL VPN connections, a whole bunch of these errors popped up on console.

Some web pages appear slow but appear if they are simpler pages from the SSL VPN portal.  OWA for example appears very slow but disconnects too. So more complex pages from SSL VPN portal disconnect.

What could be causing this problem when using SSL VPN and af-packet IPS mode?  HTTPS from the Internet work fine.  Why only with SSL VPN?

Thanks,

Leonard

-----Original Message-----
From: oisf-users-bounces at openinfosecfoundation.org [mailto:oisf-users-bounces at openinfosecfoundation.org] On Behalf Of Victor Julien
Sent: Wednesday, May 01, 2013 3:01 AM
To: oisf-users at openinfosecfoundation.org
Subject: Re: [Oisf-users] Trouble with Suricata and SSL VPN

On 04/30/2013 02:05 PM, Leonard Jacobs wrote:
> Yes.  It appears that the problem only occurs with SonicWALL Adventail SSL VPN. It is reported that connecting to it is slow and it disconnects as if a timeout occurs.  We have increased the number af-packet threads to 6 from 4 that was set yesterday and we changed the cpu cores setting in suricata.yaml from the default of 1.5 to 2. We are running an i7 processor which has 4 cores and 8 threads.

Does the disconnect interval relate to any of the flow-timeout values in your yaml? If so you can try increasing those, or forcing a keep-alive mechanism in the vpn to stay within the timeout values.

https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml#Flow-Time-Outs

Cheers,
Victor

> -----Original Message-----
> From: Peter Manev [mailto:petermanev at gmail.com]
> Sent: Tuesday, April 30, 2013 2:08 AM
> To: Leonard Jacobs
> Cc: oisf-users
> Subject: Re: [Oisf-users] Trouble with Suricata and SSL VPN
> 
> On Mon, Apr 29, 2013 at 6:02 PM, Leonard Jacobs <ljacobs at netsecuris.com> wrote:
>> We are having a network latency problem using af-packet IPS mode when 
>> accessing SSL VPN to the point that SSL VPN disconnects.  What could 
>> be causing this problem?
>>
>> We are using 4 threads with af-packet.  We are seeing the connection 
>> in http.log file.
>>
>> Leonard
>>
>>
> Hi Leonard,
> 
> Do you experience that (in this set up)  only with SSL VPN ?
> 
> thanks
> 
> --
> Regards,
> Peter Manev
> 
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: 
> http://suricata-ids.org/support/
> List: 
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
> 


--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
OISF: http://www.openinfosecfoundation.org/




More information about the Oisf-users mailing list