[Oisf-users] Question on combined protocols

Leonard Jacobs ljacobs at netsecuris.com
Tue May 14 12:52:52 UTC 2013

According to references on the web, SonicWALL Adventail SSL VPN uses non-RFC compliant SSL VPN by using SOCKS over HTTPS.  The references refer to problems similar to what we experience with af-packet IPS mode where packets are getting dropped (not due to IPS but just flow stops).  When doing a packet capture, we see a lot of TCP Retransmissions.   According to references, turning off statefull inspection for 443 on firewall solves the problem but Suricata is not a firewall so there is no stateful  inspection.

I am suggesting to the firewall folks that they need to turn off stateful inspection for this SSL VPN traffic because the SSL VPN device is in a DMZ on their firewall.   They are checking with firewall vendor.

IDS mode with Suricata works fine.

We have tried decreasing the TCP flow timeouts but that does not solve the problem.  We have considered using an alternative IPS to Suricata as a test to see if the problem goes away.

Do you have any ideas or suggestions?


-----Original Message-----
From: oisf-users-bounces at openinfosecfoundation.org [mailto:oisf-users-bounces at openinfosecfoundation.org] On Behalf Of Victor Julien
Sent: Tuesday, May 14, 2013 5:43 AM
To: oisf-users at openinfosecfoundation.org
Subject: Re: [Oisf-users] Question on combined protocols

On 05/13/2013 08:47 PM, Leonard Jacobs wrote:
> Would Suricata and af-packet in IPS mode have difficulty processing 
> network traffic using combined protocols such as SOCKS over HTTPS?

It shouldn't have. Are you seeing problems?

Victor Julien
PGP: http://www.inliniac.net/victorjulien.asc

Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
OISF: http://www.openinfosecfoundation.org/

More information about the Oisf-users mailing list