[Oisf-users] Suricata inline - rule matching stops

Peter Manev petermanev at gmail.com
Thu May 22 13:19:24 UTC 2014


On Thu, May 22, 2014 at 3:13 PM, Özkan KIRIK <ozkan.kirik at gmail.com> wrote:

> Hi,
>
> I am running Suricata 2.0 release inline mode on FreeBSD.
> There is single rule as below:
> drop tls any any -> any any (msg:"SSL: vtunnel.com"; tls.subject:"
> vtunnel.com"; sid:3230059; rev:1;)
>
> At start, everything is fine. I can see drop events on fast.log.
> After a while ( about 2 minutes ) suricata gives up dropping packets. No
> packets matches rule altough I tried to connect vtunnel.com via https,
> but all traffic forwarded.
>
> No threshold configured on yaml file.
>
> How can i debug this problem?
>
> Best regards,
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
>



Is it possible to reproduce/share the issue with a pcap ?

thanks


-- 
Regards,
Peter Manev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20140522/f531386f/attachment-0002.html>


More information about the Oisf-users mailing list