[Oisf-users] Suricata - Reject in one-arm IPS/IDS mode
Cooper F. Nelson
cnelson at ucsd.edu
Thu Apr 2 18:15:51 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Brian,
TCP session sniping is a bit of a hack and as you've observed it doesn't
always work consistently or correctly. It's usually used along with an
inline deployment that will also drop the offending packets.
- -Coop
On 4/2/2015 12:00 AM, Brian Hennigar wrote:
> Hi Pavel,
>
> I'm very interested in what you're able to find out. I've been testing
> out-of-band rejects on and off for the past couple months and can't get
> satisfactory results. I'll be sure to post back if I find anything.
>
> HTTP/HTTPs and SSH have been the main communications I've been trying to
> break. There's obvious connection slow down in the browser for loading
> pages but they do eventually work. The browser is persistent! SSH fails
> a little easier but not reliably. Sometimes it'll fail within a few
> seconds of the connection and other times it's 5/10/30 minutes before it
> gets disconnected or not at all. I do see the suricata events being
> triggered.
>
> Thanks,
> Brian
>
- --
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
iQEcBAEBAgAGBQJVHYdXAAoJEKIFRYQsa8FWKTsH/A22A/fCm8v6BKBRwwqFZYze
0dDBGJx7OOy5Su1YWGMF6Ce7jWfcO/Q8BGJ5punrDjpj3zFopd1QPddHQZxW9+uZ
bN9Q4bQZ4mdPrEsTR1wumskg0Yw230f5W6ZJ/mUrpW/A488mX0vazdtxa3eMic5s
u4+mZDmUwbeKyOmgpCCxyfUmFMOVMumdNUoQjrUKp4kcywsWHkXp5q/vOUUXjZ2E
NBspVUl406GbnSSlXPnKFJndbeWUFfxEougbjGL6vQFDq69KUk2jalz2PrwLAby1
C7NTZKUSIgRzmZIL25DseRu88GdsbtzgF7yu5M5AMm3tYfZLQ4mYVifl0iDYzvE=
=iMJM
-----END PGP SIGNATURE-----
More information about the Oisf-users
mailing list