[Oisf-users] Question on combined protocols

Leonard Jacobs ljacobs at netsecuris.com
Tue May 14 18:50:41 UTC 2013 

So I am trying to understand the flow timeouts better.  So flow timeouts are the maximum time Suricata has to process the packets, correct? So increasing the flow timeout gives a better chance to getting the packets completely processed, correct?  
   
IPS takes longer to process packets than IDS, correct? Could explain why packets are being dropped and not making it through the processing chain so that the SSL VPN is not getting the packets, correct?  
   
Thanks.
Leonard
      _____  

  From: Victor Julien [mailto:lists at inliniac.net]
To: oisf-users at openinfosecfoundation.org
Sent: Tue, 14 May 2013 09:06:00 -0600
Subject: Re: [Oisf-users] Question on combined protocols

Btw you mail server still rejects my emails, very annoying to get an
error each time I mail you:

he original message was received at Tue, 14 May 2013 15:46:19 +0200
from a80-101-90-58.adsl.xs4all.nl [80.101.90.58]

----- The following addresses had permanent fatal errors -----
<ljacobs at netsecuris.com>
(reason: 550 5.7.1 Service unavailable; Client host [83.215.238.27]
blocked using Trend Micro RBL+. Please
s...ail-abuse.com/cgi-bin/lookup?ip_address=83.215.238.27; User defined
policy matched for 83.215.238.27)

----- Transcript of session follows -----
... while talking to in.sjc.mx.trendmicro.com.:
>>> DATA
<<< 550 5.7.1 Service unavailable; Client host [83.215.238.27] blocked
using Trend Micro RBL+. Please see
http://www.mail-abuse.com/cgi-bin/lookup?ip_address=83.215.238.27; User
defined policy matched for 83.215.238.27
550 5.1.1 <ljacobs at netsecuris.com>... User unknown
<<< 554 5.5.1 Error: no valid recipients


On 05/14/2013 04:02 PM, Victor Julien wrote:
> On 05/14/2013 02:52 PM, Leonard Jacobs wrote:
>> According to references on the web, SonicWALL Adventail SSL VPN uses non-RFC compliant SSL VPN by using SOCKS over HTTPS. The references refer to problems similar to what we experience with af-packet IPS mode where packets are getting dropped (not due to IPS but just flow stops). When doing a packet capture, we see a lot of TCP Retransmissions. According to references, turning off statefull inspection for 443 on firewall solves the problem but Suricata is not a firewall so there is no stateful inspection.
>>
>> I am suggesting to the firewall folks that they need to turn off stateful inspection for this SSL VPN traffic because the SSL VPN device is in a DMZ on their firewall. They are checking with firewall vendor.
> 
> Suricata's inspection is definitely stateful.
> 
>> IDS mode with Suricata works fine.
>>
>> We have tried decreasing the TCP flow timeouts but that does not solve the problem. We have considered using an alternative IPS to Suricata as a test to see if the problem goes away.
> 
> I would suggest /increasing/ the time outs, not decreasing.
> 
>> Do you have any ideas or suggestions?
> 
> To me it sounds like your SSL product is broken, so I'd push them for a
> fix. If their answer is to disable stateful inspection, you know they
> have problems for sure.
> 
> Cheers,
> Victor
> 
> 
>>
>> Thanks.
>>
>> -----Original Message-----
>> From: oisf-users-bounces at openinfosecfoundation.org [mailto:oisf-users-bounces at openinfosecfoundation.org] On Behalf Of Victor Julien
>> Sent: Tuesday, May 14, 2013 5:43 AM
>> To: oisf-users at openinfosecfoundation.org
>> Subject: Re: [Oisf-users] Question on combined protocols
>>
>> On 05/13/2013 08:47 PM, Leonard Jacobs wrote:
>>> 
>>> Would Suricata and af-packet in IPS mode have difficulty processing 
>>> network traffic using combined protocols such as SOCKS over HTTPS?
>>
>> It shouldn't have. Are you seeing problems?
>>
>> --
>> ---------------------------------------------
>> Victor Julien
>> http://www.inliniac.net/
>> PGP: http://www.inliniac.net/victorjulien.asc
>> ---------------------------------------------
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> OISF: http://www.openinfosecfoundation.org/
>>
> 
> 


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
OISF: http://www.openinfosecfoundation.org/
      
   
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130514/b7721d63/attachment-0002.html>

More information about the Oisf-users mailing list