[Oisf-users] Question on combined protocols
Victor Julien
lists at inliniac.net
Tue May 14 14:06:00 UTC 2013
Btw you mail server still rejects my emails, very annoying to get an
error each time I mail you:
he original message was received at Tue, 14 May 2013 15:46:19 +0200
from a80-101-90-58.adsl.xs4all.nl [80.101.90.58]
----- The following addresses had permanent fatal errors -----
<ljacobs at netsecuris.com>
(reason: 550 5.7.1 Service unavailable; Client host [83.215.238.27]
blocked using Trend Micro RBL+. Please
s...ail-abuse.com/cgi-bin/lookup?ip_address=83.215.238.27; User defined
policy matched for 83.215.238.27)
----- Transcript of session follows -----
... while talking to in.sjc.mx.trendmicro.com.:
>>> DATA
<<< 550 5.7.1 Service unavailable; Client host [83.215.238.27] blocked
using Trend Micro RBL+. Please see
http://www.mail-abuse.com/cgi-bin/lookup?ip_address=83.215.238.27; User
defined policy matched for 83.215.238.27
550 5.1.1 <ljacobs at netsecuris.com>... User unknown
<<< 554 5.5.1 Error: no valid recipients
On 05/14/2013 04:02 PM, Victor Julien wrote:
> On 05/14/2013 02:52 PM, Leonard Jacobs wrote:
>> According to references on the web, SonicWALL Adventail SSL VPN uses non-RFC compliant SSL VPN by using SOCKS over HTTPS. The references refer to problems similar to what we experience with af-packet IPS mode where packets are getting dropped (not due to IPS but just flow stops). When doing a packet capture, we see a lot of TCP Retransmissions. According to references, turning off statefull inspection for 443 on firewall solves the problem but Suricata is not a firewall so there is no stateful inspection.
>>
>> I am suggesting to the firewall folks that they need to turn off stateful inspection for this SSL VPN traffic because the SSL VPN device is in a DMZ on their firewall. They are checking with firewall vendor.
>
> Suricata's inspection is definitely stateful.
>
>> IDS mode with Suricata works fine.
>>
>> We have tried decreasing the TCP flow timeouts but that does not solve the problem. We have considered using an alternative IPS to Suricata as a test to see if the problem goes away.
>
> I would suggest /increasing/ the time outs, not decreasing.
>
>> Do you have any ideas or suggestions?
>
> To me it sounds like your SSL product is broken, so I'd push them for a
> fix. If their answer is to disable stateful inspection, you know they
> have problems for sure.
>
> Cheers,
> Victor
>
>
>>
>> Thanks.
>>
>> -----Original Message-----
>> From: oisf-users-bounces at openinfosecfoundation.org [mailto:oisf-users-bounces at openinfosecfoundation.org] On Behalf Of Victor Julien
>> Sent: Tuesday, May 14, 2013 5:43 AM
>> To: oisf-users at openinfosecfoundation.org
>> Subject: Re: [Oisf-users] Question on combined protocols
>>
>> On 05/13/2013 08:47 PM, Leonard Jacobs wrote:
>>>
>>> Would Suricata and af-packet in IPS mode have difficulty processing
>>> network traffic using combined protocols such as SOCKS over HTTPS?
>>
>> It shouldn't have. Are you seeing problems?
>>
>> --
>> ---------------------------------------------
>> Victor Julien
>> http://www.inliniac.net/
>> PGP: http://www.inliniac.net/victorjulien.asc
>> ---------------------------------------------
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> OISF: http://www.openinfosecfoundation.org/
>>
>
>
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list