[Oisf-users] Question on combined protocols

Victor Julien lists at inliniac.net
Tue May 14 14:06:00 UTC 2013

Btw you mail server still rejects my emails, very annoying to get an
error each time I mail you:

he original message was received at Tue, 14 May 2013 15:46:19 +0200
from a80-101-90-58.adsl.xs4all.nl []

   ----- The following addresses had permanent fatal errors -----
<ljacobs at netsecuris.com>
    (reason: 550 5.7.1 Service unavailable; Client host []
blocked using Trend Micro RBL+.  Please
s...ail-abuse.com/cgi-bin/lookup?ip_address=; User defined
policy matched for

   ----- Transcript of session follows -----
... while talking to in.sjc.mx.trendmicro.com.:
>>> DATA
<<< 550 5.7.1 Service unavailable; Client host [] blocked
using Trend Micro RBL+.  Please see
http://www.mail-abuse.com/cgi-bin/lookup?ip_address=; User
defined policy matched for
550 5.1.1 <ljacobs at netsecuris.com>... User unknown
<<< 554 5.5.1 Error: no valid recipients

On 05/14/2013 04:02 PM, Victor Julien wrote:
> On 05/14/2013 02:52 PM, Leonard Jacobs wrote:
>> According to references on the web, SonicWALL Adventail SSL VPN uses non-RFC compliant SSL VPN by using SOCKS over HTTPS.  The references refer to problems similar to what we experience with af-packet IPS mode where packets are getting dropped (not due to IPS but just flow stops).  When doing a packet capture, we see a lot of TCP Retransmissions.   According to references, turning off statefull inspection for 443 on firewall solves the problem but Suricata is not a firewall so there is no stateful  inspection.
>> I am suggesting to the firewall folks that they need to turn off stateful inspection for this SSL VPN traffic because the SSL VPN device is in a DMZ on their firewall.   They are checking with firewall vendor.
> Suricata's inspection is definitely stateful.
>> IDS mode with Suricata works fine.
>> We have tried decreasing the TCP flow timeouts but that does not solve the problem.  We have considered using an alternative IPS to Suricata as a test to see if the problem goes away.
> I would suggest /increasing/ the time outs, not decreasing.
>> Do you have any ideas or suggestions?
> To me it sounds like your SSL product is broken, so I'd push them for a
> fix. If their answer is to disable stateful inspection, you know they
> have problems for sure.
> Cheers,
> Victor
>> Thanks.
>> -----Original Message-----
>> From: oisf-users-bounces at openinfosecfoundation.org [mailto:oisf-users-bounces at openinfosecfoundation.org] On Behalf Of Victor Julien
>> Sent: Tuesday, May 14, 2013 5:43 AM
>> To: oisf-users at openinfosecfoundation.org
>> Subject: Re: [Oisf-users] Question on combined protocols
>> On 05/13/2013 08:47 PM, Leonard Jacobs wrote:
>>> Would Suricata and af-packet in IPS mode have difficulty processing 
>>> network traffic using combined protocols such as SOCKS over HTTPS?
>> It shouldn't have. Are you seeing problems?
>> --
>> ---------------------------------------------
>> Victor Julien
>> http://www.inliniac.net/
>> PGP: http://www.inliniac.net/victorjulien.asc
>> ---------------------------------------------
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> OISF: http://www.openinfosecfoundation.org/

Victor Julien
PGP: http://www.inliniac.net/victorjulien.asc

More information about the Oisf-users mailing list