[Oisf-users] Question on combined protocols

Victor Julien lists at inliniac.net
Tue May 14 14:02:29 UTC 2013 

On 05/14/2013 02:52 PM, Leonard Jacobs wrote:
> According to references on the web, SonicWALL Adventail SSL VPN uses non-RFC compliant SSL VPN by using SOCKS over HTTPS.  The references refer to problems similar to what we experience with af-packet IPS mode where packets are getting dropped (not due to IPS but just flow stops).  When doing a packet capture, we see a lot of TCP Retransmissions.   According to references, turning off statefull inspection for 443 on firewall solves the problem but Suricata is not a firewall so there is no stateful  inspection.
> 
> I am suggesting to the firewall folks that they need to turn off stateful inspection for this SSL VPN traffic because the SSL VPN device is in a DMZ on their firewall.   They are checking with firewall vendor.

Suricata's inspection is definitely stateful.

> IDS mode with Suricata works fine.
> 
> We have tried decreasing the TCP flow timeouts but that does not solve the problem.  We have considered using an alternative IPS to Suricata as a test to see if the problem goes away.

I would suggest /increasing/ the time outs, not decreasing.

> Do you have any ideas or suggestions?

To me it sounds like your SSL product is broken, so I'd push them for a
fix. If their answer is to disable stateful inspection, you know they
have problems for sure.

Cheers,
Victor


> 
> Thanks.
> 
> -----Original Message-----
> From: oisf-users-bounces at openinfosecfoundation.org [mailto:oisf-users-bounces at openinfosecfoundation.org] On Behalf Of Victor Julien
> Sent: Tuesday, May 14, 2013 5:43 AM
> To: oisf-users at openinfosecfoundation.org
> Subject: Re: [Oisf-users] Question on combined protocols
> 
> On 05/13/2013 08:47 PM, Leonard Jacobs wrote:
>>  
>> Would Suricata and af-packet in IPS mode have difficulty processing 
>> network traffic using combined protocols such as SOCKS over HTTPS?
> 
> It shouldn't have. Are you seeing problems?
> 
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
> 
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
> 


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-users mailing list