[Oisf-users] Suricata - Reject in one-arm IPS/IDS mode

Cooper F. Nelson cnelson at ucsd.edu
Thu Apr 2 18:15:51 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Brian,

TCP session sniping is a bit of a hack and as you've observed it doesn't
always work consistently or correctly.  It's usually used along with an
inline deployment that will also drop the offending packets.

- -Coop

On 4/2/2015 12:00 AM, Brian Hennigar wrote:
> Hi Pavel,
> 
> I'm very interested in what you're able to find out.  I've been testing
> out-of-band rejects on and off for the past couple months and can't get
> satisfactory results. I'll be sure to post back if I find anything.
> 
> HTTP/HTTPs and SSH have been the main communications I've been trying to
> break.  There's obvious connection slow down in the browser for loading
> pages but they do eventually work. The browser is persistent!  SSH fails
> a little easier but not reliably. Sometimes it'll fail within a few
> seconds of the connection and other times it's 5/10/30 minutes before it
> gets disconnected or not at all.  I do see the suricata events being
> triggered.
> 
> Thanks,
> Brian
> 

- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJVHYdXAAoJEKIFRYQsa8FWKTsH/A22A/fCm8v6BKBRwwqFZYze
0dDBGJx7OOy5Su1YWGMF6Ce7jWfcO/Q8BGJ5punrDjpj3zFopd1QPddHQZxW9+uZ
bN9Q4bQZ4mdPrEsTR1wumskg0Yw230f5W6ZJ/mUrpW/A488mX0vazdtxa3eMic5s
u4+mZDmUwbeKyOmgpCCxyfUmFMOVMumdNUoQjrUKp4kcywsWHkXp5q/vOUUXjZ2E
NBspVUl406GbnSSlXPnKFJndbeWUFfxEougbjGL6vQFDq69KUk2jalz2PrwLAby1
C7NTZKUSIgRzmZIL25DseRu88GdsbtzgF7yu5M5AMm3tYfZLQ4mYVifl0iDYzvE=
=iMJM
-----END PGP SIGNATURE-----



More information about the Oisf-users mailing list