[Oisf-users] Suricata + ipfw + unwanted block

Theron ZORBAS theronzorbas at yahoo.com
Mon Oct 7 08:46:23 UTC 2013


Hello,

I'm using Suricata version 1.4.6 RELEASE under OpenBSD 5.4 amd64 via ipfw.
I've diverted outgoing web requests on my external interface:
pass out log quick on vlan100 proto tcp from (vlan100) to any port = 80 flags S/SA scrub (reassemble tcp) divert-packet port 701
pass out log quick on vlan100 proto tcp from (vlan100) to any port = 443 flags S/SA scrub (reassemble tcp) divert-packet port 701

I can successfully see the traffic and can block with testing rules.
But i've realized that Suricata is blocking some extra requests. Because of this blocking there is performance looses:
You have to know that Suricata is blocking even when it has no rules. Here is a sample from drop.log (but has no log to fast.log with these blocks) (if a rules matched it logs to fast.log but these unwanted blocks only written to drop.log)
 
O=TCP SPT=443 DPT=58619 SEQ=2804935695 ACK=2371747804 WINDOW=296 ACK PSH FIN RES=0x00 URGP=0
10/07/2013-11:39:01.632786: IN= OUT= SRC=192.168.100.100 DST=66.196.66.213 LEN=52 TOS=0x00 TTL=64 ID=17666 PROTO=TCP SPT=35725 DPT=80 SEQ=3540599647 ACK=17933725 WINDOW=2048 ACK FIN RES=0x00 URGP=0
10/07/2013-11:39:01.727115: IN= OUT= SRC=199.16.156.102 DST=10.10.10.34 LEN=40 TOS=0x00 TTL=47 ID=27173 PROTO=TCP SPT=443 DPT=58835 SEQ=2348162281 ACK=3955361904 WINDOW=58 ACK FIN RES=0x00 URGP=0
10/07/2013-11:39:01.767528: IN= OUT= SRC=192.168.100.100 DST=85.111.27.167 LEN=40 TOS=0x00 TTL=64 ID=8219 PROTO=TCP SPT=33639 DPT=80 SEQ=1839439439 ACK=3038632221 WINDOW=0 ACK RST RES=0x00 URGP=0
10/07/2013-11:39:02.781027: IN= OUT= SRC=199.16.156.102 DST=10.10.10.34 LEN=40 TOS=0x00 TTL=47 ID=27175 PROTO=TCP SPT=443 DPT=58835 SEQ=2348162281 ACK=3955361904 WINDOW=58 ACK FIN RES=0x00 URGP=0
10/07/2013-11:39:03.127516: IN= OUT= SRC=192.168.100.100 DST=66.196.66.213 LEN=52 TOS=0x00 TTL=64 ID=61475 PROTO=TCP SPT=35725 DPT=80 SEQ=3540599647 ACK=17933725 WINDOW=2048 ACK FIN RES=0x00 URGP=0
10/07/2013-11:39:06.127572: IN= OUT= SRC=192.168.100.100 DST=66.196.66.213 LEN=52 TOS=0x00 TTL=64 ID=12954 PROTO=TCP SPT=35725 DPT=80 SEQ=3540599647 ACK=17933725 WINDOW=2048 ACK FIN RES=0x00 URGP=0
10/07/2013-11:39:07.638406: IN= OUT= SRC=31.13.81.1 DST=10.10.10.34 LEN=162 TOS=0x00 TTL=84 ID=13321 PROTO=TCP SPT=443 DPT=58690 SEQ=4254779218 ACK=3242616673 WINDOW=137 ACK PSH FIN RES=0x00 URGP=0
10/07/2013-11:39:08.399823: IN= OUT= SRC=199.16.156.230 DST=10.10.10.34 LEN=108 TOS=0x00 TTL=47 ID=30737 PROTO=TCP SPT=443 DPT=58706 SEQ=494824062 ACK=1570154700 WINDOW=115 ACK PSH FIN RES=0x00 URGP=0
10/07/2013-11:39:08.736707: IN= OUT= SRC=68.232.35.139 DST=10.10.10.34 LEN=40 TOS=0x00 TTL=57 ID=44554 PROTO=TCP SPT=443 DPT=58833 SEQ=3355923965 ACK=3163237138 WINDOW=262 ACK FIN RES=0x00 URGP=0
10/07/2013-11:39:08.745750: IN= OUT= SRC=199.16.156.230 DST=10.10.10.34 LEN=40 TOS=0x00 TTL=47 ID=58908 PROTO=TCP SPT=443 DPT=58824 SEQ=186188950 ACK=3184862903 WINDOW=62 ACK FIN RES=0x00 URGP=0
10/07/2013-11:39:09.207038: IN= OUT= SRC=68.232.35.139 DST=10.10.10.34 LEN=67 TOS=0x00 TTL=57 ID=44555 PROTO=TCP SPT=443 DPT=58833 SEQ=3355923938 ACK=3163237138 WINDOW=262 ACK PSH FIN RES=0x00 URGP=0
10/07/2013-11:39:10.167096: IN= OUT= SRC=68.232.35.139 DST=10.10.10.34 LEN=67 TOS=0x00 TTL=57 ID=44556 PROTO=TCP SPT=443 DPT=58833 SEQ=3355923938 ACK=3163237138 WINDOW=262 ACK PSH FIN RES=0x00 URGP=0
10/07/2013-11:39:10.280290: IN= OUT= SRC=173.194.113.65 DST=10.10.10.34 LEN=40 TOS=0x00 TTL=55 ID=14985 PROTO=TCP SPT=443 DPT=58684 SEQ=489181165 ACK=814232276 WINDOW=661 ACK FIN RES=0x00 URGP=0
10/07/2013-11:39:10.555450: IN= OUT= SRC=199.16.156.230 DST=10.10.10.34 LEN=108 TOS=0x00 TTL=47 ID=64942 PROTO=TCP SPT=443 DPT=58823 SEQ=2184787872 ACK=2439587835 WINDOW=136 ACK PSH FIN RES=0x00 URGP=0
10/07/2013-11:39:10.857528: IN= OUT= SRC=192.168.100.100 DST=85.111.27.166 LEN=40 TOS=0x00 TTL=64 ID=25578 PROTO=TCP SPT=16044 DPT=80 SEQ=4286671192 ACK=2754483115 WINDOW=0 ACK RST RES=0x00 URGP=0
10/07/2013-11:39:11.005811: IN= OUT= SRC=173.194.112.193 DST=10.10.10.34 LEN=40 TOS=0x00 TTL=55 ID=59883 PROTO=TCP SPT=443 DPT=58685 SEQ=2604475573 ACK=1338761892 WINDOW=661 ACK FIN RES=0x00 URGP=0
10/07/2013-11:39:12.087140: IN= OUT= SRC=68.232.35.139 DST=10.10.10.34 LEN=67 TOS=0x00 TTL=57 ID=44557 PROTO=TCP SPT=443 DPT=58833 SEQ=3355923938 ACK=3163237138 WINDOW=262 ACK PSH FIN RES=0x00 URGP=0
10/07/2013-11:39:12.127531: IN= OUT= SRC=192.168.100.100 DST=66.196.66.213 LEN=52 TOS=0x00 TTL=64 ID=8958 PROTO=TCP SPT=35725 DPT=80 SEQ=3540599647 ACK=17933725 WINDOW=2048 ACK FIN RES=0x00 URGP=0
10/07/2013-11:39:15.937229: IN= OUT= SRC=68.232.35.139 DST=10.10.10.34 LEN=67 TOS=0x00 TTL=57 ID=44558 PROTO=TCP SPT=443 DPT=58833 SEQ=3355923938 ACK=3163237138 WINDOW=262 ACK PSH FIN RES=0x00 URGP=0
10/07/2013-11:39:16.369792: IN= OUT= SRC=68.232.35.139 DST=10.10.10.34 LEN=67 TOS=0x00 TTL=57 ID=59813 PROTO=TCP SPT=443 DPT=58620 SEQ=4064550715 ACK=3904868233 WINDOW=296 ACK PSH FIN RES=0x00 URGP=0
10/07/2013-11:39:17.927544: IN= OUT= SRC=192.168.100.100 DST=85.111.27.167 LEN=40 TOS=0x00 TTL=64 ID=27887 PROTO=TCP SPT=2623 DPT=80 SEQ=2600092122 ACK=318670551 WINDOW=0 ACK RST RES=0x00 URGP=0


Thanks for your help.
--
Theron ZORBAS

Note: 
stream:
checksum-validation: no

inline: yes
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20131007/ead0f83c/attachment.html>


More information about the Oisf-users mailing list