[Oisf-users] Question on combined protocols
Victor Julien
lists at inliniac.net
Tue May 14 14:02:29 UTC 2013
On 05/14/2013 02:52 PM, Leonard Jacobs wrote:
> According to references on the web, SonicWALL Adventail SSL VPN uses non-RFC compliant SSL VPN by using SOCKS over HTTPS. The references refer to problems similar to what we experience with af-packet IPS mode where packets are getting dropped (not due to IPS but just flow stops). When doing a packet capture, we see a lot of TCP Retransmissions. According to references, turning off statefull inspection for 443 on firewall solves the problem but Suricata is not a firewall so there is no stateful inspection.
>
> I am suggesting to the firewall folks that they need to turn off stateful inspection for this SSL VPN traffic because the SSL VPN device is in a DMZ on their firewall. They are checking with firewall vendor.
Suricata's inspection is definitely stateful.
> IDS mode with Suricata works fine.
>
> We have tried decreasing the TCP flow timeouts but that does not solve the problem. We have considered using an alternative IPS to Suricata as a test to see if the problem goes away.
I would suggest /increasing/ the time outs, not decreasing.
> Do you have any ideas or suggestions?
To me it sounds like your SSL product is broken, so I'd push them for a
fix. If their answer is to disable stateful inspection, you know they
have problems for sure.
Cheers,
Victor
>
> Thanks.
>
> -----Original Message-----
> From: oisf-users-bounces at openinfosecfoundation.org [mailto:oisf-users-bounces at openinfosecfoundation.org] On Behalf Of Victor Julien
> Sent: Tuesday, May 14, 2013 5:43 AM
> To: oisf-users at openinfosecfoundation.org
> Subject: Re: [Oisf-users] Question on combined protocols
>
> On 05/13/2013 08:47 PM, Leonard Jacobs wrote:
>>
>> Would Suricata and af-packet in IPS mode have difficulty processing
>> network traffic using combined protocols such as SOCKS over HTTPS?
>
> It shouldn't have. Are you seeing problems?
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
>
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list